What is the API contract for OAuth2Session update_token callback?

The OAuth 2 client documentation on refresh & autoupdate token is unclear on the semantics for the various parameters.

1. When are refresh_token & access_token passed in?
2. What are their values supposed to be?

The example provided is also unclear.

def update_token(token, refresh_token=None, access_token=None):
    if refresh_token:
        item = OAuth2Token.find(name=name, refresh_token=refresh_token)
    elif access_token:
        item = OAuth2Token.find(name=name, access_token=access_token)
    else:
        return

    # update old token
    item.access_token = token['access_token']
    item.refresh_token = token.get('refresh_token')
    item.expires_at = token['expires_at']
    item.save()

Though I wouldn't think so, OAuth2Token looks like a reference to the authlib.oauth2.rfc6749.OAuth2Token class. Despite the similar name, are we supposed to imagine it's a custom ORM class that the library user would write themselves? This is left unstated.

Yes, that OAuth2Token is a fake model class. In Django, it could be:

OAuth2Token.objects.get(name=name, refresh_token=refresh_token)

With SQLAlchemy, it could be:

OAuth2Token.query.filter_by(name=name, refresh_token=refresh_token).first()

This update_token is a hook function, it will be called when there is a token updating. In the token updating process, client/session will pass the refresh token or access token automatically.