[Bug] Missing client_id in form-data of refresh_token request with NbOAuth2AuthStrategy

Issue type

I'm submitting a ... (check one with "x")

[X] bug report
[ ] feature request

Issue description

Current behavior: When nebular oauth2 parts want to refresh a token using _authorizationcode grant/flow for login and _refreshtoken for refresh, it fails because the request for the refresh_token endpoint doesn't contain the client_id as specified by the oauth2 spec.

Expected behavior: The request for refreshing the token should contain the "client_id" in the form data of the _refreshtoken request. This is also described here: https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/

Typically, refresh tokens are only used with confidential clients. However, since it is possible to use the authorization code flow without a client secret, the refresh grant may also be used by clients that don’t have a secret. If the client was issued a secret, then the client must authenticate this request. Typically the service will allow either additional request parameters client_id and client_secret, or accept the client ID and secret in the HTTP Basic auth header. If the client does not have a secret, then no client authentication will be present in this request.

Steps to reproduce: Just setup a keycloak oauth2 server and configure nebular to use that with NbOAuth2AuthStrategy. Login (this works) and wait until your token expires and watch nebular making the request to the token-endpoint with the refresh_token in chrome debug tools. You will see that it fails because the client_id is missing.

akveo / nebular

[Bug] Missing client_id in form-data of refresh_token request with NbOAuth2AuthStrategy #2243

Issue type

Issue description

UPDATE: I found a workaround if you're using keycloak as IDP.