fix(auth): preserve refresh_token when refresh response omits it#949
Open
SarthakB11 wants to merge 1 commit into
Open
fix(auth): preserve refresh_token when refresh response omits it#949SarthakB11 wants to merge 1 commit into
SarthakB11 wants to merge 1 commit into
Conversation
Per RFC 6749 section 6 and OAuth 2.1: when the server does not issue a new refresh_token on a refresh response, the client MUST keep the existing one. AuthorizationManager::refresh_token() was persisting the response verbatim, dropping the previous refresh_token and forcing full re-authorization on the next refresh. Match the fix from python-sdk#2270: preserve the existing refresh_token when the response omits it, replace when the server rotates. Fixes modelcontextprotocol#921 Signed-off-by: SarthakB11 <sarthak.bhardwaj21b@iiitg.ac.in>
alexhancock
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Title: fix(auth): keep existing refresh token when refresh response omits it
Motivation and Context
This fixes token loss on refresh responses that omit
refresh_token. RFC 6749 §6 and the OAuth 2.1 draft make rotation optional, so when the server omits the field the client should keep the token it already holds;AuthorizationManager::refresh_token()was persisting the response verbatim, wiping the stored refresh token and forcing full re-authorization on the next call. The same bug was fixed in the Python SDK (modelcontextprotocol/python-sdk#2270).Fixes #921.
How Has This Been Tested?
Added regression tests in
crates/rmcp/src/transport/auth.rscovering both the omit case (server dropsrefresh_token, client keeps the existing one) and the rotate case (server issues a newrefresh_token, client replaces).cargo test --features auth --lib refresh_token_passes.Breaking Changes
None. Public API is unchanged. The only behavior change is that a refresh response without a
refresh_tokenno longer wipes the stored refresh token.Types of changes
Checklist