[GH-ISSUE #396] PKCE Auth - refetch_token triggers status 400 bad request due to revoked refresh token #129

New issue

Closed

opened 2026-02-27 20:23:16 +03:00 by kerem · 3 comments

kerem commented 2026-02-27 20:23:16 +03:00

Owner

Copy link

Originally created by @ndoolan360 on GitHub (Mar 29, 2023).
Original GitHub issue: https://github.com/ramsayleung/rspotify/issues/396

Describe the bug
The refetch_token method in the BaseClient of AuthCodePkceSpotify keeps the original refresh_token after refetching causing an error response with Status 400 (Bad Request)

To Reproduce
Steps to reproduce the behavior:

1. Create an AuthCodePkceSpotify client configured with token_cache
2. Refresh the token a number of times

• Notice that the initial tokens and the first refresh are successful and the access_token is updated, however, the refresh_token remains the same after refresh.
• On subsequent attempts to refresh, the client errors with Status 400 Bad Request.

Expected behavior
I expect the new refresh token returned by the request to be returned by refetch_token and stored in the cache by refresh_token.

Log/Output data
log.txt
From recreating the request in postman the body is:

{
    "error": "invalid_grant",
    "error_description": "Refresh token revoked"
}

Additional context
This appears to occur because of auth_code_pkce.rs line 75

---

Spotify Community Discussion

A refresh token that has been obtained through PKCE can be exchanged for an access token only once, after which it becomes invalid.

---

Is this just to do with my use case?
Do we know why it is that we need to keep the same refresh_token after the refetch?

Originally created by @ndoolan360 on GitHub (Mar 29, 2023). Original GitHub issue: https://github.com/ramsayleung/rspotify/issues/396 **Describe the bug** The `refetch_token` method in the `BaseClient` of `AuthCodePkceSpotify` keeps the original refresh_token after refetching causing an error response with Status 400 (Bad Request) **To Reproduce** Steps to reproduce the behavior: 1. Create an AuthCodePkceSpotify client configured with `token_cache` 2. Refresh the token a number of times - Notice that the initial tokens and the first refresh are successful and the access_token is updated, however, the refresh_token remains the same after refresh. - On subsequent attempts to refresh, the client errors with Status 400 Bad Request. **Expected behavior** I expect the new refresh token returned by the request to be returned by `refetch_token` and stored in the cache by `refresh_token`. **Log/Output data** [log.txt](https://github.com/ramsayleung/rspotify/files/11097089/log.txt) From recreating the request in postman the body is: ```json { "error": "invalid_grant", "error_description": "Refresh token revoked" } ``` **Additional context** This appears to occur because of auth_code_pkce.rs line 75 --- [Spotify Community Discussion](https://community.spotify.com/t5/Spotify-for-Developers/Refresh-token-revoked/m-p/5190859/highlight/true#M2406) > A refresh token that has been obtained through PKCE can be exchanged for an access token only once, after which it becomes invalid. --- Is this just to do with my use case? Do we know why it is that we need to keep the same refresh_token after the refetch?

kerem 2026-02-27 20:23:16 +03:00

• closed this issue
• added the
  help wanted
  bug
  labels

kerem commented 2026-02-27 20:23:17 +03:00

Author

Owner

Copy link

@ramsayleung commented on GitHub (May 30, 2023):

I think the refresh token logic the pkce just borrowed from auth_code.rs, we should replace the old refresh token with the new fresh token retuned by the request.

<!-- gh-comment-id:1569114766 --> @ramsayleung commented on GitHub (May 30, 2023): I think the refresh token logic the `pkce` just borrowed from `auth_code.rs`, we should replace the old refresh token with the new fresh token retuned by the request.

kerem commented 2026-02-27 20:23:17 +03:00

Author

Owner

Copy link

@mlehmk commented on GitHub (Jun 5, 2023):

The new refresh token is overwritten by the retained refresh token in line 77 of auth_code_pkce.rs of github.com/ramsayleung/rspotify@4360c096f2/src/auth_code_pkce.rs
Removing that line seems to fix this issue

The PKCE protocol invalidates the old refresh token, due to a protection against token extraction. The token refresh also gives a new refresh token and remembers the old refresh token, so in case a refresh is issued with the old refresh token the whole session is invalidated.

<!-- gh-comment-id:1576623153 --> @mlehmk commented on GitHub (Jun 5, 2023): The new refresh token is overwritten by the retained refresh token in line 77 of auth_code_pkce.rs of https://github.com/ramsayleung/rspotify/blob/4360c096f2e1d827bd52b998dc3c1bfde18c456d/src/auth_code_pkce.rs Removing that line seems to fix this issue The PKCE protocol invalidates the old refresh token, due to a protection against token extraction. The token refresh also gives a new refresh token and remembers the old refresh token, so in case a refresh is issued with the old refresh token the whole session is invalidated.

kerem commented 2026-02-27 20:23:17 +03:00

Author

Owner

Copy link

@ramsayleung commented on GitHub (Jun 14, 2023):

This problem has been fixed, feel free to retry with the latest commit :)

<!-- gh-comment-id:1591734679 --> @ramsayleung commented on GitHub (Jun 14, 2023): This problem has been fixed, feel free to retry with the latest commit :)

kerem referenced this issue 2026-02-27 20:24:00 +03:00

[PR #129] [MERGED] Multiple clients via features #260

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

ramsay/upgrade-0.16.1

dependabot/cargo/sha2-0.11.0

ramsay/upgrade-to-v0.16

ramsay/deprecate-removed-renamed-field

ramsay/migrate-to-new-endpoint

ramsay/deprecate-removed-endpoints

dependabot/cargo/strum-0.28.0

dependabot/cargo/reqwest-middleware-0.5.1

dependabot/cargo/reqwest-0.13.1

ramsay/upgrade-to-0.15.3

ramsay/upgrade-to-0.15.2

dependabot/cargo/ureq-3.1.2

ramsay/upgrade-dependencies

ramsay/upgrade-to-0.15.1

ramsay/fix-malformed-json

ramsay/upgrade-to-v0.15.0

ramsay/allow-enum-unknown-variant

ramsay/upgrade-to-0.14

ramsay/add_tcplistern_for_callback

ramsay/fix-clippy-error

ramsay/update-doc

ramsay/fix-endless-sequence

ramsay/publish-crate-workflow-test

ramsay/fix-pkce-refresh-token

ramsay/pkce_auth_refresh_token

ramsay_add_test_for_collectionyourepisodes

better-webapp

ramsay_fix_token_expired

percent-search

refresh_token_rwlock

ramsay_convert_result_inside_endpoint

streaming

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.0

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.0

v0.11.7

v0.11.6

v0.10.0

v0.11.5

v0.11.5.0

v0.11.4

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.11.5.1

v0.9

v0.9-alpha

Labels

Clear labels   

Stale

  

bug

  

discussion

  

enhancement

  

good first issue

  

good first issue

  

help wanted

  

pull-request

Mirrored from GitHub Pull Request

  

question

No labels

Stale

bug

discussion

enhancement

good first issue

good first issue

help wanted

pull-request

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/rspotify#129

No description provided.