fix(core): refresh MCP OAuth with stored client ID

[he-yufeng]

Summary

Fix the MCP OAuth refresh path used after /mcp auth when an auto-discovered server has no static oauth.clientId in settings.

The CLI already persists the discovered client ID in token metadata, but getValidTokenWithMetadata() refreshed with the original server config. For auto-discovered providers that config can still have no client ID, so refresh failed, the freshly stored credentials were deleted, and the restarted MCP connection had no bearer token to attach.

Details

• Use the stored credential client ID as the effective refresh client ID when the static config does not provide one.
• Preserve that effective client ID when writing refreshed credentials back to storage.
• Add regression coverage for the normal access-token path and the metadata-returning provider path.

This supersedes #27752, which had the same fix but was auto-closed by the repository PR rate limiter while I had seven open PRs.

Related Issues

Fixes #27745

How to Validate

Validated on Windows with:

• npm test --workspace @google/gemini-cli-core -- src/mcp/oauth-provider.test.ts
• npm run typecheck --workspace @google/gemini-cli-core
• npm run lint --workspace @google/gemini-cli-core -- --max-warnings 0
• git diff --check

Expected result: the focused OAuth provider suite passes, the core package type-checks and lints, and the patch has no whitespace errors.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses an issue where auto-discovered MCP servers without a static client ID in their configuration failed to refresh their OAuth tokens. By utilizing the client ID already persisted in the token metadata, the system can now successfully perform token refreshes, preventing unnecessary credential deletion and connection failures.

Highlights

• OAuth Refresh Logic: Updated the MCP OAuth refresh flow to use the stored client ID from credentials when the static server configuration lacks a client ID.
• Credential Persistence: Ensured that the effective client ID is preserved when saving refreshed credentials back to storage.
• Regression Testing: Added comprehensive test coverage for both standard access-token paths and metadata-returning provider paths to verify the fix.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

📊 PR Size: size/M

• Lines changed: 97
• Additions: +93
• Deletions: -4
• Files changed: 2

[gemini-code-assist]

Code Review

This pull request updates the MCP OAuth provider to fall back to the stored client ID (credentials.clientId) when refreshing an expired token if the current configuration does not provide one. This fallback is applied in both getValidToken and getValidTokenWithMetadata flows, and corresponding unit tests have been added to verify this behavior. There are no review comments, so I have no feedback to provide.

[lucaslimacodes]

@he-yufeng currently having this issue when gemini cli tries to refresh token from a MCP that implements DCR:

This PR will fix this, right?