Save existing refresh_token in store if no new refresh_token is returned (#483)

fredericbarthelet · web-flow · commit 281cf0bf8d30 · 2025-05-21T17:29:56.000+01:00
As described in https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#name-refresh-token-response, server MAY return a new refresh_token. In case it doesn't, current implementation discard initial refresh token if it was still valid.
diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
@@ -506,6 +506,9 @@ describe("OAuth Authorization", () => {
       access_token: "newaccess123",
       token_type: "Bearer",
       expires_in: 3600,
+    }
+    const validTokensWithNewRefreshToken = {
+      ...validTokens,
       refresh_token: "newrefresh123",
     };
 
@@ -520,15 +523,15 @@ describe("OAuth Authorization", () => {
       mockFetch.mockResolvedValueOnce({
         ok: true,
         status: 200,
-        json: async () => validTokens,
+        json: async () => validTokensWithNewRefreshToken,
       });
 
       const tokens = await refreshAuthorization("https://auth.example.com", {
         clientInformation: validClientInfo,
         refreshToken: "refresh123",
       });
 
-      expect(tokens).toEqual(validTokens);
+      expect(tokens).toEqual(validTokensWithNewRefreshToken);
       expect(mockFetch).toHaveBeenCalledWith(
         expect.objectContaining({
           href: "https://auth.example.com/token",
@@ -548,6 +551,22 @@ describe("OAuth Authorization", () => {
       expect(body.get("client_secret")).toBe("secret123");
     });
 
+    it("exchanges refresh token for new tokens and keep existing refresh token if none is returned", async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        json: async () => validTokens,
+      });
+
+      const refreshToken = "refresh123";
+      const tokens = await refreshAuthorization("https://auth.example.com", {
+        clientInformation: validClientInfo,
+        refreshToken,
+      });
+
+      expect(tokens).toEqual({ refresh_token: refreshToken, ...validTokens });
+    });
+
     it("validates token response schema", async () => {
       mockFetch.mockResolvedValueOnce({
         ok: true,
diff --git a/src/client/auth.ts b/src/client/auth.ts
@@ -474,7 +474,7 @@ export async function refreshAuthorization(
     throw new Error(`Token refresh failed: HTTP ${response.status}`);
   }
 
-  return OAuthTokensSchema.parse(await response.json());
+  return OAuthTokensSchema.parse({ refresh_token: refreshToken, ...(await response.json()) });
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -474,7 +474,7 @@ export async function refreshAuthorization(`
`474`	`474`	throw new Error(`Token refresh failed: HTTP ${response.status}`);
`475`	`475`	`}`
`476`	`476`
`477`		`- return OAuthTokensSchema.parse(await response.json());`
	`477`	`+ return OAuthTokensSchema.parse({ refresh_token: refreshToken, ...(await response.json()) });`
`478`	`478`	`}`
`479`	`479`
`480`	`480`	`/**`