lepture
commented
11 months ago A public client without client secret SHOULD not obtain tokens with refresh token.
Closed Arokiasamy-tec closed 11 months ago
lepture
commented
11 months ago A public client without client secret SHOULD not obtain tokens with refresh token.
Arokiasamy-tec
commented
11 months ago Ok fine i will close this issue
bjmc
commented
11 months ago @Arokiasamy-tec look at PKCE for public clients https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-proof-key-for-code-exchange-pkce
Arokiasamy-tec
commented
11 months ago
Which means public clients should allow access_token using refresh tokens, but everytime it must be new refresh tokens
bjmc
commented
11 months ago What authorization server are you using? The details are very implementation specfic
Authorization servers MAY issue refresh tokens to web application clients and native application clients. ... The authorization server MUST verify the binding between the refresh token and client identity whenever the client identity can be authenticated. When client authentication is not possible, the authorization server SHOULD deploy other means to detect refresh token abuse.
So it likely depends what your authorization server requires in terms of client authentication. PKCE (linked previously) is one example.
Describe the bug
A clear and concise description of what the bug is. When we hit the new token request using refresh_token grant type getting the invalid client error.
Error Stacks
To Reproduce
A minimal example to reproduce the behavior:
Expected behavior when we hit token endpoint using the refresh_token grant type it should return the access token
Environment:
Additional context
Add any other context about the problem here. When i go through the code BaseGrant class, There is constant TOKEN_ENDPOINT_AUTH_METHODS, which is allow only client_secret_basic can we update the none options also which will support for public clients