Skip to content

Fix: preserve existing refresh_token when server omits it in refresh response#2280

Closed
Jah-yee wants to merge 1 commit intomodelcontextprotocol:mainfrom
Jah-yee:fix/preserve-refresh-token
Closed

Fix: preserve existing refresh_token when server omits it in refresh response#2280
Jah-yee wants to merge 1 commit intomodelcontextprotocol:mainfrom
Jah-yee:fix/preserve-refresh-token

Conversation

@Jah-yee
Copy link

@Jah-yee Jah-yee commented Mar 11, 2026

Fixes #2270

Per RFC 6749 Section 6, the server MAY issue a new refresh token. If the response omits it, preserve the existing one.

Many OAuth providers (Google, Auth0, Okta) omit refresh_token from refresh responses by default. The current behavior causes can_refresh_token() to return False after the first refresh, forcing full re-authentication.

Fix: preserve existing refresh_token when server omits it in refresh …
69364e3 
…response

Per RFC 6749 Section 6, the server MAY issue a new refresh token.
If the response omits it, preserve the existing one to prevent
can_refresh_token() from returning False after first refresh.

Fixes modelcontextprotocol#2270
@maxisbey maxisbey closed this Mar 12, 2026
@maxisbey
Copy link
Contributor

maxisbey commented Mar 12, 2026

fyi we have chosen to ban your account from mcp repos due to spamming PRs after I closed them with a warning

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

_handle_refresh_response discards existing refresh_token when server omits it

2 participants

@Jah-yee @maxisbey