Cannot use role_connections.write scope with PKCE

[Regalijan]

Description

Going through the oauth flow using both the role_connections.write scope and PKCE will return an invalid_scope error to the browser

Steps to Reproduce

Go to https://discord.com/oauth2/authorize?client_id=<your_id>&code_challenge=whatever&code_challenge_method=S256&redirect_uri=<your_uri>&response_type=code&scope=identify%20role_connections.write

(validity of challenge does not matter)

Expected Behavior

The browser should be returned an authorization code in the url regardless of if PKCE is used

Current Behavior

Browser is returned an error message in the url when using PKCE, otherwise works without using it.

Screenshots/Videos

No response

Client and System Information

Edge 108.0.1462.46
Windows 11 22H2 22621.963

[advaith1]

This is intentional, unfortunately it's not possible to securely support this without a breaking change

[april83c]

This is intentional, unfortunately it's not possible to securely support this without a breaking change

huh? can you elaborate? what breaking change? how does supporting PKCE here break any existing functionality?

[advaith1]

the role connections api unfortunately does not require a bot token, it expects that bearer tokens are only used by the app. PKCE allows users to generate their own bearer tokens without the client secret, which would introduce security issues if it worked for this scope.

if the endpoints required both a bot token and a bearer token like some other endpoints, then it would be fine to support implicit grant and pkce, but unfortunately it was too late to change that by the time this issue was raised.