[PR #633] [MERGED] Conditionally omit consumer secret when refreshing token (Issue #625) #696

New issue

Closed

opened 2026-03-03 17:29:42 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 17:29:42 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/OAuthSwift/OAuthSwift/pull/633
Author: @paullalonde
Created: 11/14/2020
Status: ✅ Merged
Merged: 5/5/2021
Merged by: @phimage

Base: master ← Head: issue-625-fix

📝 Commits (4)

e903aeb add consumer secret conditionally to parameters
10973f2 make change consistent with existing code
7d5ba2c clear current access token before renewing
881c0ba fix indentation

📊 Changes

1 file changed (+9 additions, -1 deletions)

View changed files

📝 Sources/OAuthSwiftClient.swift (+9 -1)

📄 Description

This MR fixes a few issues I've come across while interacting with AWS Cognito with a PKCE flow.

First, this fixes the Allow omitting client_secret when refreshing token obtained via PKCE issue. In PKCE flows, there is no client secret, so it doesn't make sense to send it to the authorization server. The client secret is currently omitted when obtaining the initial access token, but not when refreshing it.

Second, this change prevents the current (expired) access token from being sent in the refresh token request, which causes AWS Cognito to reject the request. Plus, as a matter of logic, it doesn't make much sense to send an expired token to an authorization server.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/OAuthSwift/OAuthSwift/pull/633 **Author:** [@paullalonde](https://github.com/paullalonde) **Created:** 11/14/2020 **Status:** ✅ Merged **Merged:** 5/5/2021 **Merged by:** [@phimage](https://github.com/phimage) **Base:** `master` ← **Head:** `issue-625-fix` --- ### 📝 Commits (4) - [`e903aeb`](https://github.com/OAuthSwift/OAuthSwift/commit/e903aebd19afefd9fcd82948ee1b5defeb4c02ce) add consumer secret conditionally to parameters - [`10973f2`](https://github.com/OAuthSwift/OAuthSwift/commit/10973f23ac6d6b03883b9ddc71523d23a048a97c) make change consistent with existing code - [`7d5ba2c`](https://github.com/OAuthSwift/OAuthSwift/commit/7d5ba2ceaf713ec3ee312fac1d4e81d75664398b) clear current access token before renewing - [`881c0ba`](https://github.com/OAuthSwift/OAuthSwift/commit/881c0ba1daf31804b69241bd28dab4477c7ddfff) fix indentation ### 📊 Changes **1 file changed** (+9 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `Sources/OAuthSwiftClient.swift` (+9 -1) </details> ### 📄 Description This MR fixes a few issues I've come across while interacting with AWS Cognito with a PKCE flow. First, this fixes the [Allow omitting client_secret when refreshing token obtained via PKCE](https://github.com/OAuthSwift/OAuthSwift/issues/625) issue. In PKCE flows, there is no client secret, so it doesn't make sense to send it to the authorization server. The client secret is currently omitted when obtaining the initial access token, but not when refreshing it. Second, this change prevents the current (expired) access token from being sent in the refresh token request, which causes AWS Cognito to reject the request. Plus, as a matter of logic, it doesn't make much sense to send an expired token to an authorization server. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>