Open j-krose opened 2 weeks ago
Side note, really cool and useful library! Well documented and works really nicely!
I am happy to implement this one myself with some guidance on whether this actually merits a change or not, but I was not sure because I do not know so much about OAuth.
Using PCKE OAuth flow (i.e. no client secret available) to create a client-only web page I ran into the following issue; rather than being able to do an expected:
or
I had to use the more custom
makeTokenRequestWith
in order to form the proper request:It seems that the library does not include the
client_id
in the form body; when supplied incredentials
it just uses it in the headers rather than the body:It seems like this
client_id
in the refresh token request is NOT mentioned in RFC: https://datatracker.ietf.org/doc/html/rfc6749#section-6So maybe it is just strange that spotify auth server is requesting it: https://developer.spotify.com/documentation/web-api/tutorials/refreshing-tokens
Small nit as well, this documentation was a bit confusing https://github.com/truqu/elm-oauth2/blob/ef6a7bf29b361a2564b99b0daa79eb3b7ed74f45/src/OAuth/Refresh.elm#L56 :
I think this is supposed to be something more like "the refresh token issued by the authorization provider"