[GH-ISSUE #631] OAuth2 fails with Polar. Client-id and secret shouldn't be sent when retrieving access token #414

New issue

Closed

opened 2026-03-03 16:48:29 +03:00 by kerem · 2 comments

kerem commented 2026-03-03 16:48:29 +03:00

Owner

Copy link

Originally created by @pepejeria on GitHub (Oct 30, 2020).
Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/631

Description:

OAuth2 fails for Polar because client-id and secret is sent in the body when posting to the access token URL

OAuth Provider? (Twitter, Github, ..):

Polar

OAuth Version:

• Version 1
• [ x] Version 2

OS (Please fill the version) :

• iOS :
• OSX :
• TVOS :
• WatchOS :

Installation method:

• Carthage
• [ x] CocoaPods
• Swift Package Manager
• Manually

Library version:

• head
• [x ] v2.1.0
• v2.0.0
• v1.4.1
• other: (Please fill in the version you are using.)

Xcode version:

• 11.4 (Swift 5.2)
• 11.x (Swift 5.1)
• 10.x (Swift 5.0)
• [ x] other: 12.1

The Polar API expect the following values when posting to access token URL:

• redirect_uri
• code
• grant_type

https://www.polar.com/accesslink-api/?javascript--nodejs#token-endpoint

Any other values provided and the request will fail. The library also sends the client_id and client_secret, resulting in an invalid request.

I did the following modification to OAuthSwiftClient line 85:

        var parametersCopy = parameters
        parametersCopy.removeValue(forKey: "client_id")
        parametersCopy.removeValue(forKey: "client_secret")
        if let request = makeRequest(url, method: method, parameters: parametersCopy, headers: headers, body: body) {
            request.start(completionHandler: completion)
            return request
        }

to remove those values and now the request works fine.

Is there a way to solve this without having to subclass OAuthSwiftClient? Not quite sure how I can subclass OAuth2Swift to set a different client of type OAuthSwiftClient.

Originally created by @pepejeria on GitHub (Oct 30, 2020). Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/631 ### Description: OAuth2 fails for Polar because client-id and secret is sent in the body when posting to the access token URL ### OAuth Provider? (Twitter, Github, ..): Polar ### OAuth Version: - [ ] Version 1 - [ x] Version 2 ### OS (Please fill the version) : - [x] iOS : - [ ] OSX : - [ ] TVOS : - [ ] WatchOS : ### Installation method: - [ ] Carthage - [ x] CocoaPods - [ ] Swift Package Manager - [ ] Manually ### Library version: - [ ] head - [x ] v2.1.0 - [ ] v2.0.0 - [ ] v1.4.1 - [ ] other: (Please fill in the version you are using.) ### Xcode version: - [ ] 11.4 (Swift 5.2) - [ ] 11.x (Swift 5.1) - [ ] 10.x (Swift 5.0) - [ x] other: 12.1 The Polar API expect the following values when posting to access token URL: - redirect_uri - code - grant_type https://www.polar.com/accesslink-api/?javascript--nodejs#token-endpoint Any other values provided and the request will fail. The library also sends the client_id and client_secret, resulting in an invalid request. I did the following modification to OAuthSwiftClient line 85: ``` var parametersCopy = parameters parametersCopy.removeValue(forKey: "client_id") parametersCopy.removeValue(forKey: "client_secret") if let request = makeRequest(url, method: method, parameters: parametersCopy, headers: headers, body: body) { request.start(completionHandler: completion) return request } ``` to remove those values and now the request works fine. Is there a way to solve this without having to subclass `OAuthSwiftClient`? Not quite sure how I can subclass `OAuth2Swift` to set a different `client` of type `OAuthSwiftClient`.

kerem closed this issue 2026-03-03 16:48:29 +03:00

kerem commented 2026-03-03 16:48:30 +03:00

Author

Owner

Copy link

@pepejeria commented on GitHub (Oct 30, 2020):

Subclassed OAuthSwiftClient, but I don't see how I can subclass OAuth2Swift as well to use this client instead.

class PolarOAuthSwiftClient: OAuthSwiftClient {

    @discardableResult
    open override func request(_ url: URLConvertible, method: OAuthSwiftHTTPRequest.Method, parameters: OAuthSwift.Parameters = [:], headers: OAuthSwift.Headers? = nil, body: Data? = nil, checkTokenExpiration: Bool = true, completionHandler completion: OAuthSwiftHTTPRequest.CompletionHandler?) -> OAuthSwiftRequestHandle? {
        // Polar access token request will fail if these parameters are provided in the body
        var modifiedParameters = parameters
        modifiedParameters.removeValue(forKey: "client_id")
        modifiedParameters.removeValue(forKey: "client_secret")

        return super.request(url, method: method, parameters: modifiedParameters, headers: headers, body: body, checkTokenExpiration: checkTokenExpiration, completionHandler: completion)
    }
}

<!-- gh-comment-id:719775551 --> @pepejeria commented on GitHub (Oct 30, 2020): Subclassed `OAuthSwiftClient`, but I don't see how I can subclass OAuth2Swift as well to use this client instead. ``` class PolarOAuthSwiftClient: OAuthSwiftClient { @discardableResult open override func request(_ url: URLConvertible, method: OAuthSwiftHTTPRequest.Method, parameters: OAuthSwift.Parameters = [:], headers: OAuthSwift.Headers? = nil, body: Data? = nil, checkTokenExpiration: Bool = true, completionHandler completion: OAuthSwiftHTTPRequest.CompletionHandler?) -> OAuthSwiftRequestHandle? { // Polar access token request will fail if these parameters are provided in the body var modifiedParameters = parameters modifiedParameters.removeValue(forKey: "client_id") modifiedParameters.removeValue(forKey: "client_secret") return super.request(url, method: method, parameters: modifiedParameters, headers: headers, body: body, checkTokenExpiration: checkTokenExpiration, completionHandler: completion) } } ```

kerem commented 2026-03-03 16:48:30 +03:00

Author

Owner

Copy link

@pepejeria commented on GitHub (Oct 30, 2020):

Ok, I solved this by doing the following:

 oauthSwift = OAuth2Swift(
    consumerKey: configuration.clientKey,
    consumerSecret: configuration.clientSecret,
    authorizeUrl: configuration.authorizeUrl,
    accessTokenUrl: configuration.accessTokenUrl,
    responseType: "code"
)
oauthSwift.accessTokenBasicAuthentification = true
oauthSwift.client = PolarOAuthSwiftClient(consumerKey: configuration.clientKey, consumerSecret: configuration.clientSecret, version: .oauth2)

<!-- gh-comment-id:719780040 --> @pepejeria commented on GitHub (Oct 30, 2020): Ok, I solved this by doing the following: ``` oauthSwift = OAuth2Swift( consumerKey: configuration.clientKey, consumerSecret: configuration.clientSecret, authorizeUrl: configuration.authorizeUrl, accessTokenUrl: configuration.accessTokenUrl, responseType: "code" ) oauthSwift.accessTokenBasicAuthentification = true oauthSwift.client = PolarOAuthSwiftClient(consumerKey: configuration.clientKey, consumerSecret: configuration.clientSecret, version: .oauth2) ```

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

ci/action/danger

ci/action/release-drafter

pkce

ci/action/tvos

ci/travis

2.1.0

2.0.0

fix/fitbiterror

swift3

digu-demo

swift3.0objc

swift2.2

swift2.3

swift2.0

2.2.0

2.1.2

2.1.1

2.1.0

2.0.1

2.0.0

1.4.1

1.4.0

1.3.0

1.2.2

1.2.1

1.2.0

1.1.2

1.1.1

1.1.0

1.0.0

0.6.0

0.5.2

v0.5.2

0.5.1

0.5.0

0.4.8

0.4.6

v0.4.6

0.4.5

v0.4.5

0.4.4

v0.4.4

0.4.3

0.4.2

0.4.1

v0.4.1

0.4.0

v0.4.0

Swift1.x

0.3.7

v0.3.7

0.3.6

v0.3.6

0.3.5

v0.3.5

0.3.4

v0.3.4

0.3.3

v0.3.3

v0.3.2

0.3.2

0.3.1

v0.3.1

0.3.0

v0.3.0

0.2.1

0.2.0

v0.2.0

0.1.9

0.1.8

0.1.7

v0.1.7

v0.1.6

Labels

Clear labels   

bug

  

cocoapod

  

duplicate

  

enhancement

  

feature-request

  

help wanted

  

help wanted

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

wontfix

No labels

bug

cocoapod

duplicate

enhancement

feature-request

help wanted

help wanted

invalid

pull-request

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/OAuthSwift#414

No description provided.