AppAuth is not sending client id or client secret when requesting refresh and access tokens

  1. SDK Version: 34.0.0
  2. Platforms(ios/android/both): iOS

Bug?
AppAuth is not sending the client ID or client secret when making the second request for the refresh and access tokens, using the authorization code.

Background:
I have a custom OAuth2 provider setup on a rails app using the Doorkeeper gem. I can see the request come in and that it is missing the client id and client secret. As a result, Doorkeeper’s /oauth/token endpoint comes back with a HTTP status of 400.

Is this a bug, or is my AppAuth configuration incorrect? ( I tried multiple configs and also looked at the react-native-app-auth and AppAuth-iOS documentation for additional help since they explain more about the settings ). I even tried setting the client id and client secret again as additionalParameters

Code:

     let returnUrl = Linking.makeUrl('example-auth-session')
     const config = {
      serviceConfiguration: {
        authorizationEndpoint: 'https://example.herokuapp.com/oauth/authorize',
        tokenEndpoint: 'https://example.herokuapp.com/oauth/token',
        revocationEndpoint: 'https://example.herokuapp.com/oauth/revoke'
      },
      clientId: 'abc123',
      clientSecret: 'xyv890',
      scopes: [''],
      redirectUrl: returnUrl,
      additionalParameters: {
        clientId: 'abc123',
        clientSecret: 'xyv890',
      }
    };

    console.log("config", config)
    const tokenResponse = await AppAuth.authAsync(config); // 400 error after authentication when requesting refresh and access tokens
    console.log("Token Response:", tokenResponse)

The client secret won’t be embedded in the production app. I’m just trying to get this example working first. Thanks for the help!

Discovered my problem: DoorKeeper did not have PKCE enabled (needed for mobile apps) and the OAuth app was not marked non-confidential in the DoorKeeper settings. I’ve removed the client secret and am just passing the client id now. Had to read into the OAuth spec and Doorkeeper docs more. AppAuth appears to be working just fine.

1 Like