[GH-ISSUE #625] Allow omitting client_secret when refreshing token obtained via PKCE #407

New issue

Open

opened 2026-03-03 16:48:26 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 16:48:26 +03:00

Owner

Originally created by @kdembler on GitHub (Sep 23, 2020).
Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/625

Description:

When using PKCE flow for authentication, the client secret shouldn't be used in any way. This is taken into account when calling authorize - the secret is skipped in the parameters. However, this isn't a case for renewAccessToken - this code will always try to include client secret in the parameters, even if it's empty. Some providers (Spotify for sure) will then reject refresh requests due to invalid (empty) client secret.

To allow easy PKCE flow integration, renewAccessToken should allow omitting the client secret in the refresh request.

OAuth Provider

Spotify

OAuth Version

Version 2 - PKCE

OS

macOS 10.15

Installation method:

Carthage

Library version:

Head

Xcode version:

11.4 (Swift 5.2)

Originally created by @kdembler on GitHub (Sep 23, 2020). Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/625 ### Description: When using PKCE flow for authentication, the client secret shouldn't be used in any way. This is taken into account when calling `authorize` - the secret is skipped in the parameters. However, this isn't a case for `renewAccessToken` - this code will always try to include client secret in the parameters, even if it's empty. Some providers (Spotify for sure) will then reject refresh requests due to invalid (empty) client secret. To allow easy PKCE flow integration, `renewAccessToken` should allow omitting the client secret in the refresh request. ### OAuth Provider Spotify ### OAuth Version Version 2 - PKCE ### OS macOS 10.15 ### Installation method: Carthage ### Library version: Head ### Xcode version: 11.4 (Swift 5.2)