OAuth2: Refreshing does not work with PKCE

[advaith1]

Description

When attempting to use a refresh token to get a new access token (grant_type: 'refresh_token'), the API returns {error: "invalid_client"} if a client secret is not provided. As I am using PKCE, the client secret should not be required and is not safe to use as this is a client-side environment.

After discussing the issue in #api, I have confirmed that this is a Discord bug.

Steps to Reproduce

Do the authorization_code flow with PKCE to get an access_token and a refresh_token, not using a client secret

Try to use the refresh token: POST to /oauth2/token with

body: new URLSearchParams({
  client_id: 'valid client id',
  grant_type: 'refresh_token',
  refresh_token: 'valid refresh token'
})

Expected Behavior

Discord returns a valid OAuth2 response without requiring a client secret, because PKCE was used

This is the correct behavior according to https://auth0.com/docs/get-started/authentication-and-authorization-flow/call-your-api-using-the-authorization-code-flow-with-pkce#refresh-tokens

Current Behavior

Discord returns {error: "invalid_client"} unless a valid client_secret is provided in the request.

Screenshots/Videos

No response

Client and System Information

Chrome 108.0.5347.0
Windows 11 22H2 25217.1000

[DV8FromTheWorld]

@night you were involved in the conversation around this in #api. How do we want to proceed here?
Original context: https://canary.discord.com/channels/613425648685547541/801247546151403531/1029103227179896982

[yonilerner]

Unfortunately we're going to have to mark this as a wontfix, because our OAuth2 library does not support this functionality.

We may consider adding support for this in the future

[ManHatos]

Are we expecting this to change?

[night]

Are we expecting this to change?

Following up here, but you can refresh tokens with PKCE now if you turn on public client for your app in the OAuth2 section of your app settings in the developer portal.