Announcements

Help Wizard

Step 1

NEXT STEP

Client ID not required for PKCE refresh, despite documentation

Client ID not required for PKCE refresh, despite documentation

Avatar of felix-hilden
Music Fan
2020-08-27 06:28 PM

Hi, despite being documented as a required field, refresh requests with PKCE token refresh tokens are accepted and refreshed without it, if a `b64(id:secret)` authentication pair is present. Additionally the relevant RFC states nothing about refreshing being affected, at least I didn't spot anything.

 

Is it intended behaviour that PKCE tokens can be refreshed using the ordinary method, but not the other way around?

0 Likes
Reply
1 Reply

Avatar of felix-hilden
Music Fan
2020-08-27 06:33 PM

Basically both types of user tokens can be refreshed using the same original refresh call now. However, ordinary user tokens cannot be refreshed using the PKCE version with Client ID.

0 Likes

Suggested posts

Let's introduce ourselves!

Hey there you,   Yeah, you! 😁   Welcome - we're glad you joined the Spotify Community!   While you here, let's have a fun game and get…

Staff
ModeratorStaff / Moderator/ 2 years ago in Social & Random
Read more