fix(auth): stop sending apiKey as client_secret in OAuth token exchange body#753
Merged
Merged
Conversation
…ge body The SDK was auto-populating clientSecret in the POST body from apiKey during exchangeCodeForToken and refreshAccessToken, even though the apiKey is already sent via the Authorization: Bearer header. This broke reverse proxy setups where the proxy rewrites the Authorization header for credential injection — the placeholder key in the body leaked through and caused 'Invalid credentials' failures. Fixes #703 Jira: TW-5724 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #753 +/- ##
==========================================
- Coverage 98.75% 98.75% -0.01%
==========================================
Files 43 43
Lines 1045 1041 -4
Branches 92 90 -2
==========================================
- Hits 1032 1028 -4
Misses 12 12
Partials 1 1 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
AaronDDM
approved these changes
Jun 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
clientSecretfromapiKeyinexchangeCodeForTokenandrefreshAccessTokenapiKeyis already sent viaAuthorization: Bearerheader on every request — including/v3/connect/token— so including it in the body was redundant and broke reverse proxy credential-injection patternsclientSecretremains available onCodeExchangeRequest/TokenExchangeRequestfor callers who have a distinct OAuth client secret to pass explicitlyFixes #703
Jira: TW-5724
Test plan
clientSecretis absent from the body when not providedauth.tsat 100% coverage)exchangeCodeForTokenandrefreshAccessTokenstill work end-to-end whenclientSecretis not passed (relying on the Authorization header)clientSecretin the request is still forwarded correctly in the body🤖 Generated with Claude Code