From 595de28f25f5526f63cf6e9136291d86c6972754 Mon Sep 17 00:00:00 2001
From: Ankit Ranjan <arstejas7@gmail.com>
Date: Wed, 27 May 2026 17:39:45 +0530
Subject: [PATCH 1/3] fix: refresh DCR provider client on replace

---
 src/authsome/server/credential_service.py |  9 +++++++--
 src/authsome/server/routes/ui.py          | 13 +++++++++++--
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/src/authsome/server/credential_service.py b/src/authsome/server/credential_service.py
index 1cd1c456..51857a89 100644
--- a/src/authsome/server/credential_service.py
+++ b/src/authsome/server/credential_service.py
@@ -365,10 +365,15 @@ async def update_provider_configuration(
             return False
 
         existing = await self._get_provider_client_credentials(provider)
+        refresh_dcr_client = definition.flow == FlowType.DCR_PKCE and existing is not None and "client_id" not in inputs
         updated = ProviderClientRecord(provider=provider)
-        updated.client_id = inputs.get("client_id", existing.client_id if existing else None) or None
+        updated.client_id = (
+            None if refresh_dcr_client else inputs.get("client_id", existing.client_id if existing else None) or None
+        )
 
-        if "client_secret" in inputs:
+        if refresh_dcr_client:
+            updated.client_secret = None
+        elif "client_secret" in inputs:
             secret_input = inputs["client_secret"].strip()
             if secret_input:
                 updated.client_secret = secret_input
diff --git a/src/authsome/server/routes/ui.py b/src/authsome/server/routes/ui.py
index ac56a8af..5969ac62 100644
--- a/src/authsome/server/routes/ui.py
+++ b/src/authsome/server/routes/ui.py
@@ -700,12 +700,21 @@ async def configure_provider(
         flow_type=provider.flow.value,
     )
     session.payload["provider_config_only"] = True
-    session.payload["existing_provider_client"] = (await auth.get_provider_client(provider_name)) is not None
+    existing_provider_client = (await auth.get_provider_client(provider_name)) is not None
+    session.payload["existing_provider_client"] = existing_provider_client
     session.payload["callback_url_override"] = build_callback_url(server_base_url)
     session.payload["return_url"] = f"{server_base_url.rstrip('/')}/apps/{provider_name}"
-    session.payload["input_fields"] = [
+    input_fields = [
         field.model_dump(mode="json", exclude_none=True) for field in await auth.get_required_inputs(session)
     ]
+    if provider.flow == FlowType.DCR_PKCE and existing_provider_client and not input_fields:
+        all_vaults = await request.app.state.vault_registry.list_all()
+        vault_ids = [vault.vault_id for vault in all_vaults] or ([auth.vault_id] if auth.vault_id else [])
+        await auth.update_provider_configuration(provider_name, {}, vault_ids=vault_ids)
+        await sessions.delete(session.session_id)
+        return _redirect(request, f"/apps/{provider_name}")
+
+    session.payload["input_fields"] = input_fields
     await sessions.save(session)
     return _redirect(request, build_auth_input_url(server_base_url, session.session_id))
 

From 475bdebf818f9fe06f09519206cd31b50d2212f3 Mon Sep 17 00:00:00 2001
From: Ankit Ranjan <arstejas7@gmail.com>
Date: Wed, 27 May 2026 17:51:36 +0530
Subject: [PATCH 2/3] refactor: trigger login flow directly when existing DCR
 PKCE provider client is present

---
 src/authsome/server/routes/ui.py | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/authsome/server/routes/ui.py b/src/authsome/server/routes/ui.py
index 5969ac62..685fbcf0 100644
--- a/src/authsome/server/routes/ui.py
+++ b/src/authsome/server/routes/ui.py
@@ -704,16 +704,21 @@ async def configure_provider(
     session.payload["existing_provider_client"] = existing_provider_client
     session.payload["callback_url_override"] = build_callback_url(server_base_url)
     session.payload["return_url"] = f"{server_base_url.rstrip('/')}/apps/{provider_name}"
-    input_fields = [
-        field.model_dump(mode="json", exclude_none=True) for field in await auth.get_required_inputs(session)
-    ]
-    if provider.flow == FlowType.DCR_PKCE and existing_provider_client and not input_fields:
+    if provider.flow == FlowType.DCR_PKCE and existing_provider_client:
         all_vaults = await request.app.state.vault_registry.list_all()
         vault_ids = [vault.vault_id for vault in all_vaults] or ([auth.vault_id] if auth.vault_id else [])
         await auth.update_provider_configuration(provider_name, {}, vault_ids=vault_ids)
-        await sessions.delete(session.session_id)
+        await auth.begin_login_flow(session=session, force=True)
+        await sessions.index_oauth_state(session)
+        auth_url = session.payload.get("auth_url")
+        if auth_url:
+            return _redirect(request, str(auth_url))
+        await sessions.save(session)
         return _redirect(request, f"/apps/{provider_name}")
 
+    input_fields = [
+        field.model_dump(mode="json", exclude_none=True) for field in await auth.get_required_inputs(session)
+    ]
     session.payload["input_fields"] = input_fields
     await sessions.save(session)
     return _redirect(request, build_auth_input_url(server_base_url, session.session_id))

From 6c108cb44f5c63ee0c069f941ff2302e9f7a9ff3 Mon Sep 17 00:00:00 2001
From: Tejas <48682479+beubax@users.noreply.github.com>
Date: Thu, 28 May 2026 12:16:49 +0530
Subject: [PATCH 3/3] revert: display input fields for dcr providers

Refactor existing_provider_client check and input_fields assignment.
---
 src/authsome/server/routes/ui.py | 18 ++----------------
 1 file changed, 2 insertions(+), 16 deletions(-)

diff --git a/src/authsome/server/routes/ui.py b/src/authsome/server/routes/ui.py
index 685fbcf0..ac56a8af 100644
--- a/src/authsome/server/routes/ui.py
+++ b/src/authsome/server/routes/ui.py
@@ -700,26 +700,12 @@ async def configure_provider(
         flow_type=provider.flow.value,
     )
     session.payload["provider_config_only"] = True
-    existing_provider_client = (await auth.get_provider_client(provider_name)) is not None
-    session.payload["existing_provider_client"] = existing_provider_client
+    session.payload["existing_provider_client"] = (await auth.get_provider_client(provider_name)) is not None
     session.payload["callback_url_override"] = build_callback_url(server_base_url)
     session.payload["return_url"] = f"{server_base_url.rstrip('/')}/apps/{provider_name}"
-    if provider.flow == FlowType.DCR_PKCE and existing_provider_client:
-        all_vaults = await request.app.state.vault_registry.list_all()
-        vault_ids = [vault.vault_id for vault in all_vaults] or ([auth.vault_id] if auth.vault_id else [])
-        await auth.update_provider_configuration(provider_name, {}, vault_ids=vault_ids)
-        await auth.begin_login_flow(session=session, force=True)
-        await sessions.index_oauth_state(session)
-        auth_url = session.payload.get("auth_url")
-        if auth_url:
-            return _redirect(request, str(auth_url))
-        await sessions.save(session)
-        return _redirect(request, f"/apps/{provider_name}")
-
-    input_fields = [
+    session.payload["input_fields"] = [
         field.model_dump(mode="json", exclude_none=True) for field in await auth.get_required_inputs(session)
     ]
-    session.payload["input_fields"] = input_fields
     await sessions.save(session)
     return _redirect(request, build_auth_input_url(server_base_url, session.session_id))