Refresh token request rejected by auth server with PKCE flow due to missing client_id in refresh request

[j-krose]

Using PCKE OAuth flow (i.e. no client secret available) to create a client-only web page I ran into the following issue; rather than being able to do an expected:

    Refresh.makeTokenRequest
        (resultMapper >> toMsg)
        { credentials = Nothing
        , url = tokenUrl
        , scope = scopes
        , token = accessToken.refreshToken
        }
        |> Http.request

or

    Refresh.makeTokenRequest
        (resultMapper >> toMsg)
        { credentials = Just { clientId = clientId, secret = "" }
        , url = tokenUrl
        , scope = scopes
        , token = accessToken.refreshToken
        }
        |> Http.request

I had to use the more custom makeTokenRequestWith in order to form the proper request:

    Refresh.makeTokenRequestWith
        OAuth.RefreshToken
        Refresh.defaultAuthenticationSuccessDecoder
        (Dict.singleton "client_id" clientId)
        (resultMapper >> toMsg)
        { credentials = Nothing
        , url = tokenUrl
        , scope = scopes
        , token = accessToken.refreshToken
        }
        |> Http.request

It seems that the library does not include the client_id in the form body; when supplied in credentials it just uses it in the headers rather than the body:

makeTokenRequestWith : GrantType -> Json.Decoder success -> Dict String String -> (Result Http.Error success -> msg) -> Authentication -> RequestParts msg
makeTokenRequestWith grantType decoder extraFields toMsg { credentials, scope, token, url } =
    let
        body =
            [ Builder.string "grant_type" (grantTypeToString grantType)
            , Builder.string "refresh_token" (extractTokenString token)
            ]
                |> urlAddList "scope" scope
                |> urlAddExtraFields extraFields
                |> Builder.toQuery
                |> String.dropLeft 1

        headers =
            makeHeaders credentials
    in
    makeRequest decoder toMsg url headers body

It seems like this client_id in the refresh token request is NOT mentioned in RFC: https://datatracker.ietf.org/doc/html/rfc6749#section-6

So maybe it is just strange that spotify auth server is requesting it: https://developer.spotify.com/documentation/web-api/tutorials/refreshing-tokens

---

Small nit as well, this documentation was a bit confusing

elm-oauth2/src/OAuth/Refresh.elm

Line 56 in ef6a7bf

- `token` (_REQUIRED_):

:

  - `token` (_REQUIRED_):
    Token endpoint of the resource provider

I think this is supposed to be something more like "the refresh token issued by the authorization provider"

[j-krose]

Side note, really cool and useful library! Well documented and works really nicely!

I am happy to implement this one myself with some guidance on whether this actually merits a change or not, but I was not sure because I do not know so much about OAuth.