8000 Refresh token request rejected by auth server with PKCE flow due to missing client_id in refresh request · Issue #33 · truqu/elm-oauth2 · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Refresh token request rejected by auth server with PKCE flow due to missing client_id in refresh request #33
New issue
New issue
Open
Open
Refresh token request rejected by auth server with PKCE flow due to missing client_id in refresh request#33
@j-krose

Description

@j-krose
j-krose
opened on Jul 9, 2024

Using PCKE OAuth flow (i.e. no client secret available) to create a client-only web page I ran into the following issue; rather than being able to do an expected:

    Refresh.makeTokenRequest
        (resultMapper >> toMsg)
        { credentials = Nothing
        , url = tokenUrl
        , scope = scopes
        , token = accessToken.refreshToken
        }
        |> Http.request

or

    Refresh.makeTokenRequest
        (resultMapper >> toMsg)
        { credentials = Just { clientId = clientId, secret = "" }
        , url = tokenUrl
        , scope = scopes
        , token = accessToken.refreshToken
        }
        |> Http.request

I had to use the more custom makeTokenRequestWith in order to form the proper request:

    Refresh.makeTokenRequestWith
        OAuth.RefreshToken
        Refresh.defaultAuthenticationSuccessDecoder
        (Dict.singleton "client_id" clientId)
        (resultMapper >> toMsg)
        { credentials = Nothing
        , url = tokenUrl
        , scope = scopes
        , token = accessToken.refreshToken
        }
        |> Http.request

It seems that the library does not include the client_id in the form body; when supplied in credentials it just uses it in the headers rather than the body:

makeTokenRequestWith : GrantType -> Json.Decoder success -> Dict String String -> (Result Http.Error success -> msg) -> Authentication -> RequestParts msg
makeTokenRequestWith grantType decoder extraFields toMsg { credentials, scope, token, url } =
    let
        body =
            [ Builder.string "grant_type" (grantTypeToString grantType)
            , Builder.string "refresh_token" (extractTokenString token)
            ]
                |> urlAddList "scope" scope
                |> urlAddExtraFields extraFields
                |> Builder.toQuery
                |> String.dropLeft 1

        headers =
            makeHeaders credentials
    in
    makeRequest decoder toMsg url headers body

It seems like this client_id in the refresh token request is NOT mentioned in RFC: https://datatracker.ietf.org/doc/html/rfc6749#section-6

So maybe it is just strange that spotify auth server is requesting it: https://developer.spotify.com/documentation/web-api/tutorials/refreshing-tokens
Screen Shot 2024-07-10 at 01 03 06

Small nit as well, this documentation was a bit confusing

elm-oauth2/src/OAuth/Refresh.elm

Line 56 in ef6a7bf

- `token` (_REQUIRED_):
:

  - `token` (_REQUIRED_):
    Token endpoint of the resource provider

I think this is supposed to be something more like "the refresh token issued by the authorization provider"

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0