fix(auth): persist rotated refresh tokens during API calls#373
Merged
steipete merged 1 commit intoopenclaw:mainfrom Mar 7, 2026
Merged
Conversation
Why - gogcli refreshed access tokens from a stored refresh token but never wrote back a rotated refresh token returned by Google. - In multi-process CLI usage this can leave keyring state stale across invocations and eventually cause invalid_grant when the old token is retired. What - add persistingTokenSource wrapper in internal/googleapi/client.go - wrap oauth2.Config TokenSource in tokenSourceForAccountScopes - persist rotated refresh token back into secrets store when it changes - keep persistence failures non-fatal (warn, return token) - add unit tests for rotate/no-rotate/persist-failure paths Tests - go test ./internal/googleapi
steipete
added a commit
that referenced
this pull request
Mar 7, 2026
Collaborator
steipete
added a commit
that referenced
this pull request
Mar 7, 2026
Collaborator
klodr
pushed a commit
to klodr/gogcli
that referenced
this pull request
Apr 22, 2026
) Why - gogcli refreshed access tokens from a stored refresh token but never wrote back a rotated refresh token returned by Google. - In multi-process CLI usage this can leave keyring state stale across invocations and eventually cause invalid_grant when the old token is retired. What - add persistingTokenSource wrapper in internal/googleapi/client.go - wrap oauth2.Config TokenSource in tokenSourceForAccountScopes - persist rotated refresh token back into secrets store when it changes - keep persistence failures non-fatal (warn, return token) - add unit tests for rotate/no-rotate/persist-failure paths Tests - go test ./internal/googleapi
klodr
pushed a commit
to klodr/gogcli
that referenced
this pull request
Apr 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Persist rotated refresh tokens returned by Google during normal API token refreshes.
Why
gogclicurrently loads refresh tokens from keyring and usesoauth2.TokenSource, but runtime API flows do not write back a rotated refresh token. In multi-process usage this can leave keyring state stale across invocations.What changed
persistingTokenSourcewrapper ininternal/googleapi/client.gotokenSourceForAccountScopesToken()returns a different refresh token, persist it withstore.SetToken(...)internal/googleapi/client_more_test.gofor:Validation
go test ./internal/googleapi