Refreshing a token with PKCE

Hi everyone,

For a project I’m currently working on we have decided to use Hydra for handling the OAuth mechanism of our API.
Our main application is developed using React.JS and is a Single Page App (SPA). As we want our user to be “permanently” logged in, we have decided to use an authorization code grant flow with PKCE since we can’t provide a client secret as the source code is easily readable.

The whole authorization code grant flow works very well and we can get our access_token and refresh_token without any problem.
My issue is how to resfresh this access_token. At each time I try to use the /oauth/token endpoint I get an error about not providing the client_id and the client_secret in authorization basic form, even if my clients contain: "token_endpoint_auth_method": "none"

A strange point is that there is never any mention of refresh token in the RFC 7636, is it possible to refresh a token without providing a secret ?

Sorry if it’s a silly question but I wasn’t able to find an answer on the many sites I’ve checked

Thanks in advance for your answers

Either try sending Authorization: basic(<clientid>:) (empty string as a secret or alternatively with a random secret) or send client_id in the POST form. I think one of those is the right way to do it :slight_smile:

Thanks a lot for your answer

Indeed I was missing the client_id parameter in the request.

FYI, the auth basic form doesn’t work with the token_endpoint_auth_method set to none

No problem!