fix(backend): update OAuth client details in installation callback

Lasim · Lasim · commit 39b4c09a6f8b · 2026-02-07T21:43:39.000+01:00
diff --git a/services/backend/src/jobs/refresh-oauth-tokens.ts b/services/backend/src/jobs/refresh-oauth-tokens.ts
@@ -161,11 +161,22 @@ export async function refreshExpiringOAuthTokens(logger: FastifyBaseLogger) {
 				// Determine client ID: use stored DCR client ID or fall back to 'deploystack'
 				const clientId = installation.oauth_client_id || 'deploystack';
 
+				// Decrypt client secret if stored (from DCR or pre-registered provider)
+				const clientSecret = installation.oauth_client_secret
+					? decrypt(installation.oauth_client_secret, logger)
+					: null;
+
+				// Use stored token endpoint (from installation) with fallback to discovery
+				const tokenEndpoint = installation.oauth_token_endpoint || discovery.metadata.token_endpoint;
+				const tokenEndpointAuthMethod = installation.oauth_token_endpoint_auth_method || 'none';
+
 				// Refresh access token
 				const newTokens = await tokenService.refreshToken({
 					refreshToken: decryptedRefreshToken,
 					clientId,
-					tokenEndpoint: discovery.metadata.token_endpoint,
+					tokenEndpoint,
+					clientSecret,
+					tokenEndpointAuthMethod: tokenEndpointAuthMethod as 'client_secret_post' | 'client_secret_basic' | 'none',
 				});
 
 				// Update encrypted tokens in database
diff --git a/services/backend/src/routes/mcp/installations/callback.ts b/services/backend/src/routes/mcp/installations/callback.ts
@@ -466,11 +466,11 @@ export default async function oauthCallbackRoute(server: FastifyInstance) {
 					oauth_code_verifier: null,
 					oauth_pending: false,
 					oauth_pending_expires_at: null,
-					oauth_client_id: null,
-					oauth_client_secret: null,
-					oauth_provider_id: null,
-					oauth_token_endpoint: null,
-					oauth_token_endpoint_auth_method: null,
+					oauth_client_id: flow.oauth_client_id,
+					oauth_client_secret: flow.oauth_client_secret,
+					oauth_provider_id: flow.oauth_provider_id || null,
+					oauth_token_endpoint: flow.oauth_token_endpoint,
+					oauth_token_endpoint_auth_method: flow.oauth_token_endpoint_auth_method,
 					created_at: new Date(),
 					updated_at: new Date(),
 					last_used_at: null,
