When refreshing the token taken for OAuth2 public client it is required to send the client_id

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.

http://wso2.github.io/

Apache License 2.0

732 stars 713 forks source link

When refreshing the token taken for OAuth2 public client it is required to send the client_id #8195

Open thanujalk opened 4 years ago

thanujalk commented 4 years ago

Describe the issue: When refreshing the token taken for OAuth2 public client it is required to send the client_id.

How to reproduce:

Create an OAuth2 public client from the admin-console
Generate access token & refresh pair
Try to refresh the token

It is required to send the client_id in the request.

Expected behavior: IdP should able to identify the client from the refresh token.

emswbandara commented 3 years ago

@Yasasr1 will look into this

mefarazath commented 3 years ago

This could be the expected behavior. Isn't it the same in the authorization code token request as well?

For the public client, when we sent the authorization code flow token request, we have to send the client_id as a body param since we are not indicating the client_id as part of the basic auth header.

If we decide to fix this for the refresh grant then we should look into fixing the authorization code flow as well :)