fix(core): refresh MCP OAuth with stored client ID

[he-yufeng]

Summary

Refresh HTTP MCP OAuth tokens with the client ID persisted during dynamic client registration.

Details

Auto-discovered OAuth servers can store a dynamically registered client ID without adding it to the static MCP server config. Both token lookup paths could find that stored client ID, but the refresh call still received the original config and failed with Missing required clientId for token refresh.

This passes the effective client ID into token refresh and preserves it when saving the refreshed token. Regression tests cover both the plain access-token path and the metadata path used by the dynamic stored OAuth provider.

Related Issues

Fixes #27745

How to Validate

npm test --workspace @google/gemini-cli-core -- src/mcp/oauth-provider.test.ts
npm run typecheck --workspace @google/gemini-cli-core
npm run lint --workspace @google/gemini-cli-core -- --max-warnings 0
npx prettier --check packages/core/src/mcp/oauth-provider.ts packages/core/src/mcp/oauth-provider.test.ts
git diff --check origin/main...HEAD

Expected: the OAuth provider tests pass, including refresh with a stored client ID when the static config omits it.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[github-actions]

📊 PR Size: size/M

• Lines changed: 97
• Additions: +93
• Deletions: -4
• Files changed: 2

[github-actions]

You already have 7 pull requests open. Please work on getting existing PRs merged before opening more.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses an issue where MCP OAuth token refreshes would fail if the client ID was not explicitly defined in the static configuration, despite being available in the stored credentials. By dynamically resolving the client ID from the stored credentials when necessary, the system can now successfully refresh tokens for auto-discovered OAuth servers.

Highlights

• OAuth Token Refresh Logic: Updated the token refresh process to prioritize the stored client ID from credentials when the static configuration does not provide one.
• Persistence: Ensured that the effective client ID is correctly preserved when saving refreshed tokens to storage.
• Testing: Added regression tests for both standard access-token paths and metadata-based OAuth provider paths to verify the fix.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the MCPOAuthProvider to fall back to the stored clientId from credentials when the configuration does not provide one during token refresh. It also adds corresponding unit tests to verify this behavior in both getValidToken and getValidTokenWithMetadata. I have no feedback to provide as there are no review comments.