search

bondy-io / bondy

Bondy is an open source, always-on and scalable application networking platform connecting all elements of a distributed application—offering service and event mesh capabilities combined. Bondy implements the open Web Application Messaging Protocol (WAMP) and is written in Erlang.
https://www.bondy.io
Apache License 2.0
129 stars 12 forks source link

[1.0.0-beta.68] OAuth2 - client_credentials should not return refresh token? #19

Closed alejandro-miguez closed 1 year ago

alejandro-miguez commented 1 year ago

At Latam LoJack we are upgrading to the latest version of bondy 1.0.0-beta.68 and We noticed that the refresh_token is not present when we issuing a new token for grant_type=client_credentials. Due to the "BackOffice" webapps are using and implementing the oauth2 flow, we need the refresh token. Below an issued token without the refresh_token attribute:

The change was applied with the following commit: https://github.com/bondy-io/bondy/commit/0d2e6729646bea8a499e1a81bdacf2127c18c139 changing a private function in module bondy_oauth2:

%% @private
supports_refresh_token(client_credentials) -> false;
supports_refresh_token(application_code) -> true;
supports_refresh_token(password) -> true;
supports_refresh_token(Grant) -> error({oauth2_unsupported_grant_type, Grant}).

Is possible to support it? maybe using some configurable feature?

aramallo commented 1 year ago

Hi @alejandro-miguez , thanks for this.

The client credentials flow SHOULD not return a refresh token as per the spec.

This makes sense as the refresh token exists to obtain a new token on behalf of the end user without asking it to authenticate again. But the Client (app) should always authenticate, in which case a refresh token does not make sense and it should simple obtain a new token.