Auto-refresh OAuth2 token when there is no refresh token

[palhal]

Is there an existing request for this feature?

• [X] I have searched the existing issues for this feature request and I know that duplicates will be closed

Is your feature request related to a problem?

The current Auto-refresh token feature is nice, but unfortunately only works when a _refreshtoken is present in the authentication response. Including a refresh token is discouraged by the OAuth2 standard when using Implicit Grant or Client Credentials Grant.

References: https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2 https://www.rfc-editor.org/rfc/rfc6749#section-4.4.3

Describe the solution you'd like

• When a refresh token is present, use the refresh token
• When a refresh token is not present, reauthenticate the normal way

Describe alternatives you've considered

Enable refresh tokens at the server side, but this is discouraged for our grant type (client_credentials).

Additional context

No response

[savage-alex]

Upvoting this! I love the new feature to refresh tokens but as above this works with Authorization code flow but not client credentials grant which should be an easy implement as the secret is right there to use.

[cdanoff]

please implement!

[Pablorg99]

This would be very useful! Does anyone know a workaround while this is not implemented?

[savage-alex]

@Pablorg99 you are welcome to use this collection (would need a small mod for client creds flow) https://www.postman.com/universal-escape-252485/workspace/oauth2-0-auth-code-flow-token-refresher/collection/14551493-90d6e522-9e8c-4bd3-ac80-4ee3b81f26d4

we made this in teh times the main feature didnt exist but applies just as much now sadly with client creds flow not automating refresh.

[tracymazelin]

Need this!