Delaying the save of a refresh_token will likely result in issues.

New value must be saved, even if access_token is invalid for the requested operation.
This means we'd have to check (and rely on git) to also provide the new refresh_token and store its value during an erase callback (needs ugly hack in EraseCredentialAsync).

Granted the current state (without #1838) is also broken. (fix has been merged)
I think this is still the correct location to directly issue a store.
Otherwise there is a risk of client desync due to missed refresh_token value updates.

There are advantages and disadvantages to pre-emptively storing the refresh token. In particular, storing the wrong username if the user has multiple accounts on the host and selects the wrong account. In general, I'd prefer to avoid the complexity of side effects. The Git credential API has deliberate independent verbs "get/store/erase".

Which host do you test with?

Chances are high the 1st action is a pull from a repository readable by the 2nd account.
So any existing entry is likely to be replaced anyway (no failure as account guard). ☺

Git can only give feedback (store vs. erase) on the access_token.
Any provided refresh_token is (by convention) valid and MUST be used in further interactions.
Saving that during the get phase is not a side effect but required as part of a completed transaction.
Delaying the save can break things on Ctrl+C, parallel pulls, or stupid proxies
(see comments regarding missing token updates).

The primitive get with detached store/erase is broken in the context of OAuth.
A 2nd parallel action from the same host will trigger another token refresh and a conflicting store
(not an issue to have multiple access_token, but potentially fatal with an outdated refresh_token) .

My primary endpoint is Forgejo with recommended single-use tokens (→ #1838 required).
Primary client is Win11 (where leaking refresh_token in the output would be only a minor violation).
(→ getting to the next potential problem with the get/store approach on a proper secret store…)

Okay -- I've restored that logic. Would you be able to test this branch with Forgejo?

The refresh_token will likely also have an expiry date.
At least one observed implementation however does not report the constraint.

Any suggestion to improve the test?

Sorry, wrong/stupid location for my comment (test is not the issue). ☹
(Maybe you can mark this part of my comments as resolved to avoid further confusion?)

General problem with the auth flow when not dealing with refresh in the get phase:

• presenting git with an expired credential will just lead to ignoring it
• the refresh_token might also be expired (but git would have no way of recovering anyway…)

Telling git should only be useful if there was a further provider with valid credentials as a fallback…
But since GCM has no way of knowing this, it's likely best to keep handling refresh proactively in get.
Which would of course render the whole concept of supplying any token metadata to git redundant.