google-gemini/gemini-cli

OAuth refresh token lost during token refresh, causing 'No refresh token is set' after ~1 hour

Open

#21691 opened on Mar 9, 2026

View on GitHub
 (9 comments) (0 reactions) (1 assignee)TypeScript (103,992 stars) (13,657 forks)batch import
area/corearea/securityeffort/smallhelp wantedkind/bugpriority/p1status/bot-triaged

Description

Problem

When Google OAuth refreshes an access token, the tokens event payload only contains the new access_token — it does not resend the refresh_token. However, both OAuthCredentialStorage.saveCredentials() and the file-based cacheCredentials() overwrite the stored credentials entirely, wiping out the existing refresh token.

This causes sessions to fail with API Error: No refresh token is set after the first access token expiry (~1 hour).

Additionally

deleteCredentials() in both FileTokenStorage and KeychainTokenStorage throws an error when the credential doesn't exist (e.g., was already deleted). This causes a cascading "Failed to clear OAuth credentials" error loop when re-auth tries to clear credentials that are already gone, preventing users from re-authenticating.

Steps to reproduce

  1. Authenticate with Google OAuth
  2. Use the CLI for >1 hour (until access token expires)
  3. Send another message → No refresh token is set
  4. CLI attempts to clear credentials and re-auth → repeated "Failed to clear OAuth credentials" errors

Expected behavior

  • Refresh tokens should be preserved when saving a token refresh (merge with existing rather than overwrite)
  • Deleting non-existent credentials should be a no-op

Environment

  • macOS, using GEMINI_FORCE_ENCRYPTED_FILE_STORAGE=true
  • Affects both encrypted (OAuthCredentialStorage) and file-based (cacheCredentials) storage paths

Contributor guide

Tech stack
typescriptnodejs
Domain
cliauthentication
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
blocked
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Familiarity with TypeScriptUnderstanding of OAuth 2.0Basic Node.js file operations
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
45
Research direction
Examine the credential storage implementation in OAuthCredentialStorage and FileTokenStorage. Focus on the saveCredentials method where tokens are overwritten; modify to merge the new access token with existing refresh token. Also fix deleteCredentials to be a no op when credentials do not exist. Consider adding unit tests to cover token refresh scenarios.