modelcontextprotocol · jbsky · May 8, 2026
@@ -763,28 +763,34 @@ async function authInternal(
 
     // Handle token refresh or new authorization
     if (tokens?.refresh_token) {
+        let newTokens: OAuthTokens | undefined;
         try {
             // Attempt to refresh the token
-            const newTokens = await refreshAuthorization(authorizationServerUrl, {
+            newTokens = await refreshAuthorization(authorizationServerUrl, {
                 metadata,
                 clientInformation,
                 refreshToken: tokens.refresh_token,
                 resource,
                 addClientAuthentication: provider.addClientAuthentication,
                 fetchFn
             });
-
-            await provider.saveTokens(newTokens);
-            return 'AUTHORIZED';
         } catch (error) {
             // If this is a ServerError, or an unknown type, log it out and try to continue. Otherwise, escalate so we can fix things and retry.
             if (!(error instanceof OAuthError) || error.code === OAuthErrorCode.ServerError) {
-                // Could not refresh OAuth tokens
+                // Could not refresh OAuth tokens — fall through to new authorization
             } else {
                 // Refresh failed for another reason, re-throw
                 throw error;
             }
         }
+
+        if (newTokens) {
+            // saveTokens errors must propagate — the AS may have already
+            // rotated the refresh token, so silently losing the new tokens
+            // would leave the client with an invalid refresh token.
+            await provider.saveTokens(newTokens);
+            return 'AUTHORIZED';
+        }
     }
 
     const state = provider.state ? await provider.state() : undefined;

@@ -1422,6 +1422,49 @@ describe('OAuth Authorization', () => {
             expect(prmCalls).toHaveLength(1);
             expect(prmCalls[0]![0].toString()).toBe(cachedPrmUrl);
         });
+
+        it('propagates saveTokens errors instead of silently swallowing them during refresh', async () => {
+            const saveTokensError = new Error('Filesystem write failed');
+            const provider = createMockProvider({
+                discoveryState: vi.fn().mockResolvedValue({
+                    authorizationServerUrl: 'https://auth.example.com',
+                    resourceMetadata: validResourceMetadata,
+                    authorizationServerMetadata: validAuthMetadata
+                }),
+                tokens: vi.fn().mockResolvedValue({
+                    access_token: 'old-access',
+                    refresh_token: 'refresh-token',
+                    token_type: 'bearer'
+                }),
+                saveTokens: vi.fn().mockRejectedValue(saveTokensError)
+            });
+
+            mockFetch.mockImplementation(url => {
+                const urlString = url.toString();
+
+                if (urlString.includes('/token')) {
+                    return Promise.resolve({
+                        ok: true,
+                        status: 200,
+                        json: async () => ({
+                            access_token: 'new-token',
+                            token_type: 'bearer',
+                            expires_in: 3600,
+                            refresh_token: 'new-refresh-token'
+                        })
+                    });
+                }
+
+                return Promise.reject(new Error(`Unexpected fetch: ${urlString}`));
+            });
+
+            // saveTokens failure must propagate — not be silently swallowed
+            await expect(auth(provider, { serverUrl: 'https://resource.example.com' })).rejects.toThrow('Filesystem write failed');
+
+            // Verify the refresh exchange itself succeeded (token endpoint was called)
+            const tokenCall = mockFetch.mock.calls.find(call => call[0].toString().includes('/token'));
+            expect(tokenCall).toBeDefined();
+        });
     });
 
     describe('selectClientAuthMethod', () => {