Some OAuth providers (e.g. Keycloak) require that client_id is sent when using a refresh token.
This patch adds the refreshTokenWithClientId option that may be used similarly to the refreshTokenWithCredentials.
When true, the request body for the token refresh will also send a client_id parameter fetched from the state.
I have locally tested this patch and it produces the desired behaviour, though I've not commit the packed dist bundle files yet.
The refreshTokenWithCredentials option wouldn't be suitable when using a public client as no credentials are known.
Evidence of Keycloak's behaviour may be found on the discourse.
Some OAuth providers (e.g. Keycloak) require that client_id is sent when using a refresh token.
This patch adds the
refreshTokenWithClientIdoption that may be used similarly to therefreshTokenWithCredentials.When
true, the request body for the token refresh will also send aclient_idparameter fetched from the state.I have locally tested this patch and it produces the desired behaviour, though I've not commit the packed dist bundle files yet.
The
refreshTokenWithCredentialsoption wouldn't be suitable when using a public client as no credentials are known.Evidence of Keycloak's behaviour may be found on the discourse.