Open thanujalk opened 4 years ago
@Yasasr1 will look into this
This could be the expected behavior. Isn't it the same in the authorization code token request as well?
For the public client, when we sent the authorization code flow token request, we have to send the client_id as a body param since we are not indicating the client_id as part of the basic auth header.
If we decide to fix this for the refresh grant then we should look into fixing the authorization code flow as well :)
Describe the issue: When refreshing the token taken for OAuth2 public client it is required to send the client_id.
How to reproduce:
It is required to send the client_id in the request.
Expected behavior: IdP should able to identify the client from the refresh token.