search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
90 stars 12 forks source link

Consider the client authentication and refresh token grant #2173

Closed jobannon closed 1 year ago

jobannon commented 1 year ago

Consider the client authentication and refresh token grant

Description

If I am a SPA developer, and I would like to refresh my token access token, I cannot enable Not required when using PKCE

Screenshot 2023-03-23 at 4 35 49 PM

When calling the token endpoint with client authentication enabled (Not required when using PKCE) 

curl --request POST \
  --url https://local.fusionauth.io/oauth2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=refresh_token \
  --data refresh_token=1VUj0azyHaxWQM3hldNsc0FdzG9QlNIMMmBxntMC8zl9VlaMurqX2g \
  --data client_id=85a03867-dccf-4882-adde-1a79aeec50df \
  --data redirect_uri=http://localhost:3000/oauth-redirect

I get the following error. 

{
    "error": "invalid_client",
    "error_description": "Client authentication missing as Basic Authorization header or credentials in the body (or some combination of them).",
    "error_reason": "client_authentication_missing"
}

Expected

I should be able to start on a SPA with PKCE and be able to refresh tokens without having to completely disable client authentication.

Is this a question about how to use FusionAuth? Please consider posting on the FusionAuth forum instead.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

robotdan commented 1 year ago

Our current implementation is to spec as far as I know.

https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens

12.1 Refresh Request To refresh an Access Token, the Client MUST authenticate to the Token Endpoint using the authentication method registered for its client_id, as documented in Section 9.

We support these modes of authentication as found in our well-known config endpoint:

"token_endpoint_auth_methods_supported": [
  "client_secret_basic",
  "client_secret_post",
  "none"
]

You do have the option to set this configuration to none if you want to use the Token endpoint w/out the ability to use a client secret.

robotdan commented 1 year ago

Working as designed. I don't think we want to promote or allow a public client to perform a token refresh. This should be done server side or by some sort of confidential client.

FusionAuth can do this for a single page web app using the "magic backend".