Use of Refresh Token in Native and SPA app

[pampua84]

Hi, I have a question to which unfortunately I cannot find an answer. Native or SPA apps in which a secret is not associated use the AuthorizationCode Flow + PKCE to get the various tokens, but how can they use the RefreshToken to get a new AccessToken and IDToken, since the endpoint /connect/token also wants the client_secret among the parameters, like this:

POST /connect/token

    client_id=client&
    client_secret=secret&
    grant_type=refresh_token&
    refresh_token=hdh922

Unfortunately, I have not found any useful info on the doc on the internet. Can you please help me understand how to do this? Thanks.

[brockallen]

The Client config has a RequireClientSecret that you can set to false:

https://docs.duendesoftware.com/identityserver/v5/reference/models/client/#basics

We don't recommend refresh tokens in SPAs though:

https://blog.duendesoftware.com/posts/20210326_bff/

[pampua84]

Thanks, @brockallen for the reply. I have read the posts linked by you and they are very useful. Does the same thing also apply to native mobile apps?

[brockallen]

Native mobile is fine with refresh token and no client secret.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.

[github-actions[bot]]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.