When asking for the access token using a url like this (client credentials as grant type):
http://api.local/app_dev.php/oauth/v2/token?client_id=<client_id>&client_secret=<secret>&grant_type=client_credentials
I get the following json response:
{
access_token: "XXXXXXXXXXX",
expires_in: 3600,
token_type: "bearer",
scope: "user"
}
The refresh token is missing, any idea why this could be?
My FOSOAuthServerBundle in config.yml:
fos_oauth_server:
db_driver: orm
client_class: Acme\ApiBundle\Entity\Client
access_token_class: Acme\ApiBundle\Entity\AccessToken
refresh_token_class: Acme\ApiBundle\Entity\RefreshToken
auth_code_class: Acme\ApiBundle\Entity\AuthCode
service:
user_provider: platform.user.provider
options:
supported_scopes: user
UPDATE
The Client Entity makes a call to the constructor in the parent entity (located in the FOSOAuthServerBundle):
namespace Acme\ApiBundle\Entity;
use FOS\OAuthServerBundle\Entity\Client as BaseClient;
use Doctrine\ORM\Mapping as ORM;
/**
* @ORM\Entity
*/
class Client extends BaseClient
{
/**
* @ORM\Id
* @ORM\Column(type="integer")
* @ORM\GeneratedValue(strategy="AUTO")
*/
protected $id;
public function __construct()
{
parent::__construct();
}
}
Florent is right, client_credentials should not include the refresh token by default. It is however, included in the older version that I'm using, that's why I was confused.
I would suggest going for grant type authorization_code or password, if possible. If you really need to expose a refresh token for client_credentials, I guess you could extend/override the OAuth2 class and override the method grantAccessTokenClientCredentials by calling the parent and removing the 'issue_refresh_token' => false from the returned result.
You can override the OAuth2 by putting the following in your services.yml (As long as your bundle has 'FOSOAuthServerBundle' as parent):
parameters:
fos_oauth_server.server.class: YourNS\YourBundle\Service\YourOauth2