From 5b9be471e369d724ae8a070e607ffff4304b33e8 Mon Sep 17 00:00:00 2001
From: huanghongxun <i@huangyuhui.net>
Date: Sat, 6 Nov 2021 22:32:00 +0800
Subject: [PATCH] fix(microsoft): should not pass client secret when refreshing
 token. Closes #1164.

---
 .../org/jackhuang/hmcl/game/OAuthServer.java  |  4 ++++
 .../java/org/jackhuang/hmcl/auth/OAuth.java   | 19 ++++++++++++++-----
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/HMCL/src/main/java/org/jackhuang/hmcl/game/OAuthServer.java b/HMCL/src/main/java/org/jackhuang/hmcl/game/OAuthServer.java
index e93bf0560..72f6a56f3 100644
--- a/HMCL/src/main/java/org/jackhuang/hmcl/game/OAuthServer.java
+++ b/HMCL/src/main/java/org/jackhuang/hmcl/game/OAuthServer.java
@@ -169,6 +169,10 @@ public final class OAuthServer extends NanoHTTPD implements OAuth.Session {
                     JarUtils.thisJar().flatMap(JarUtils::getManifest).map(manifest -> manifest.getMainAttributes().getValue("Microsoft-Auth-Secret")).orElse(""));
         }
 
+        @Override
+        public boolean isPublicClient() {
+            return true; // We have turned on the device auth flow.
+        }
     }
 
     public static class GrantDeviceCodeEvent extends Event {
diff --git a/HMCLCore/src/main/java/org/jackhuang/hmcl/auth/OAuth.java b/HMCLCore/src/main/java/org/jackhuang/hmcl/auth/OAuth.java
index 9cda0beba..f1d89ba5a 100644
--- a/HMCLCore/src/main/java/org/jackhuang/hmcl/auth/OAuth.java
+++ b/HMCLCore/src/main/java/org/jackhuang/hmcl/auth/OAuth.java
@@ -24,6 +24,7 @@ import org.jackhuang.hmcl.util.io.HttpRequest;
 import org.jackhuang.hmcl.util.io.NetworkUtils;
 
 import java.io.IOException;
+import java.util.Map;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
 
@@ -144,11 +145,17 @@ public class OAuth {
 
     public Result refresh(String refreshToken, Options options) throws AuthenticationException {
         try {
-            RefreshResponse response = HttpRequest.POST(accessTokenURL)
-                    .form(pair("client_id", options.callback.getClientId()),
-                            pair("client_secret", options.callback.getClientSecret()),
-                            pair("refresh_token", refreshToken),
-                            pair("grant_type", "refresh_token"))
+            Map<String, String> query = mapOf(pair("client_id", options.callback.getClientId()),
+                    pair("refresh_token", refreshToken),
+                    pair("grant_type", "refresh_token")
+            );
+
+            if (!options.callback.isPublicClient()) {
+                query.put("client_secret", options.callback.getClientSecret());
+            }
+
+            RefreshResponse response = HttpRequest.POST(tokenURL)
+                    .form(query)
                     .accept("application/json")
                     .ignoreHttpCode()
                     .getJson(RefreshResponse.class);
@@ -233,6 +240,8 @@ public class OAuth {
         String getClientId();
 
         String getClientSecret();
+
+        boolean isPublicClient();
     }
 
     public enum GrantFlow {