From 04c64e97b04cd6e51f11327dad07826e1056482b Mon Sep 17 00:00:00 2001 From: Chris Coutinho Date: Mon, 15 Dec 2025 23:15:52 +0100 Subject: [PATCH] fix(astrolabe): handle OAuth refresh token rotation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes 401 errors after first token refresh when using IdPs that implement refresh token rotation (Keycloak, modern OAuth providers). **Root Cause**: McpTokenStorage::getAccessToken() was discarding the new refresh token returned by the IdP after successful refresh, always keeping the old one. This caused: - First refresh: works (uses original refresh token) - Second refresh: fails with 401 (old refresh token invalidated by IdP) **Solution**: Use new refresh token from IdP response if provided, fall back to old token for providers that don't rotate refresh tokens. **Changed**: - lib/Service/McpTokenStorage.php:184 From: $token['refresh_token'] // Always old token To: $newTokenData['refresh_token'] ?? $token['refresh_token'] **Verified**: ApiController already handles rotation correctly using the same pattern. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 --- third_party/astroglobe/lib/Service/McpTokenStorage.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/third_party/astroglobe/lib/Service/McpTokenStorage.php b/third_party/astroglobe/lib/Service/McpTokenStorage.php index 435a1c0..1e623f0 100644 --- a/third_party/astroglobe/lib/Service/McpTokenStorage.php +++ b/third_party/astroglobe/lib/Service/McpTokenStorage.php @@ -177,10 +177,11 @@ class McpTokenStorage { if ($newTokenData && isset($newTokenData['access_token'])) { // Store refreshed token + // Use new refresh token if provided (rotation), otherwise keep old one $this->storeUserToken( $userId, $newTokenData['access_token'], - $token['refresh_token'], // Keep same refresh token + $newTokenData['refresh_token'] ?? $token['refresh_token'], time() + ($newTokenData['expires_in'] ?? 3600) );