Closed alejandro-miguez closed 1 year ago
Hi @alejandro-miguez , thanks for this.
The client credentials flow SHOULD not return a refresh token as per the spec.
This makes sense as the refresh token exists to obtain a new token on behalf of the end user without asking it to authenticate again. But the Client (app) should always authenticate, in which case a refresh token does not make sense and it should simple obtain a new token.
At Latam LoJack we are upgrading to the latest version of bondy 1.0.0-beta.68 and We noticed that the
refresh_token
is not present when we issuing a new token for grant_type=client_credentials
. Due to the "BackOffice" webapps are using and implementing the oauth2 flow, we need the refresh token. Below an issued token without therefresh_token
attribute:The change was applied with the following commit: https://github.com/bondy-io/bondy/commit/0d2e6729646bea8a499e1a81bdacf2127c18c139 changing a private function in module bondy_oauth2:
Is possible to support it? maybe using some configurable feature?