fix(OAuth2): refresh token is optional (backport #26266) #26271
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Don't overwrite refresh_token with an empty string, if no new refresh_token is received (i.e. the old one is still valid).
Ref: https://www.rfc-editor.org/rfc/rfc6749#section-5.1
For example, Google only sends one refresh token on first authorization. The access token is pretty short lived. When it expires, we try to refresh it and receive a new access token – but no new refresh token. In this case we used to overwrite the refresh token, which remained valid, with an empty string. So the next refresh will not be successful anymore, the integration breaks after two cycles.
With this PR, we only change the refresh token when we actually receive a new one.
This is an automatic backport of pull request #26266 done by [Mergify](https://mergify.com).