Closed jobannon closed 1 year ago
Our current implementation is to spec as far as I know.
https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens
12.1 Refresh Request To refresh an Access Token, the Client MUST authenticate to the Token Endpoint using the authentication method registered for its client_id, as documented in Section 9.
We support these modes of authentication as found in our well-known config endpoint:
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post",
"none"
]
You do have the option to set this configuration to none
if you want to use the Token endpoint w/out the ability to use a client secret.
Working as designed. I don't think we want to promote or allow a public client to perform a token refresh. This should be done server side or by some sort of confidential client.
FusionAuth can do this for a single page web app using the "magic backend".
Consider the client authentication and refresh token grant
Description
If I am a SPA developer, and I would like to refresh my token access token, I cannot enable
Not required when using PKCE
When calling the token endpoint with client authentication enabled (
Not required when using PKCE
)I get the following error.
Expected
I should be able to start on a SPA with PKCE and be able to refresh tokens without having to completely disable client authentication.
Is this a question about how to use FusionAuth? Please consider posting on the FusionAuth forum instead.
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.