apps-script-oauth2 icon indicating copy to clipboard operation
apps-script-oauth2 copied to clipboard

Published 20 hours ago verified publisher icon googleworkspace

Allow usage without client_secret in refresh token grant for services that only rely on PKCE

Open jackyhu-db opened this issue 10 months ago • 2 comments

v1.43.0 allows the usage without client_secret for services that only rely on PKCE (e6afdfb), but it did not remove the client_secret check in the token refresh (https://github.com/googleworkspace/apps-script-oauth2/blob/main/src/Service.js#L667), so PKCE without client_secret cannot work with refresh token grant. Can you also remove client_secret validation in the refresh as well?

jackyhu-db avatar Jan 09 '25 19:01 jackyhu-db

Running into the same issue with refresh token functionality when using PKCE without setting the client_secret.

anna-romanova avatar Feb 13 '25 22:02 anna-romanova

+1. Is there an estimated timeframe for when this will be addressed?

kaitlynsteeves avatar Feb 14 '25 19:02 kaitlynsteeves