fix(microsoft): should not pass client secret when refreshing token. Closes #1164.

2025-01-30 14:39:56 +08:00 · 2021-11-06 22:32:00 +08:00 · 2021-11-06 22:32:00 +08:00 · 5b9be471e3
commit 5b9be471e3
parent e8f8617412
2 changed files with 18 additions and 5 deletions
--- a/HMCL/src/main/java/org/jackhuang/hmcl/game/OAuthServer.java
+++ b/HMCL/src/main/java/org/jackhuang/hmcl/game/OAuthServer.java
@ -169,6 +169,10 @@ public final class OAuthServer extends NanoHTTPD implements OAuth.Session {
                    JarUtils.thisJar().flatMap(JarUtils::getManifest).map(manifest -> manifest.getMainAttributes().getValue("Microsoft-Auth-Secret")).orElse(""));
        }

+        @Override
+        public boolean isPublicClient() {
+            return true; // We have turned on the device auth flow.
+        }
    }

    public static class GrantDeviceCodeEvent extends Event {
--- a/HMCLCore/src/main/java/org/jackhuang/hmcl/auth/OAuth.java
+++ b/HMCLCore/src/main/java/org/jackhuang/hmcl/auth/OAuth.java
@ -24,6 +24,7 @@ import org.jackhuang.hmcl.util.io.HttpRequest;
 import org.jackhuang.hmcl.util.io.NetworkUtils;

 import java.io.IOException;
+import java.util.Map;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;

@ -144,11 +145,17 @@ public class OAuth {

    public Result refresh(String refreshToken, Options options) throws AuthenticationException {
        try {
-            RefreshResponse response = HttpRequest.POST(accessTokenURL)
-                    .form(pair("client_id", options.callback.getClientId()),
-                            pair("client_secret", options.callback.getClientSecret()),
-                            pair("refresh_token", refreshToken),
-                            pair("grant_type", "refresh_token"))
+            Map<String, String> query = mapOf(pair("client_id", options.callback.getClientId()),
+                    pair("refresh_token", refreshToken),
+                    pair("grant_type", "refresh_token")
+            );
+
+            if (!options.callback.isPublicClient()) {
+                query.put("client_secret", options.callback.getClientSecret());
+            }
+
+            RefreshResponse response = HttpRequest.POST(tokenURL)
+                    .form(query)
                    .accept("application/json")
                    .ignoreHttpCode()
                    .getJson(RefreshResponse.class);
@ -233,6 +240,8 @@ public class OAuth {
        String getClientId();

        String getClientSecret();
+
+        boolean isPublicClient();
    }

    public enum GrantFlow {