What's your opinion regarding grating offline_access to public applications? I've looked through the standard and have not found an explicit indication that grating public apps the offline_access is a big security issue.
I think it is as a public app are not capable of securely keeping their password, let alone a refresh token. At the same time I see a lot of samples with browser apps that use the refresh_token flow, so it may be a common strategy to prevent having the user redirected to the identity provider.
My goal is to find a proper way to get another access_token using AJAX so that the user does not have the page refreshed or be redirected to the identity provider.
Thanks, George
As per the RFC6749, the issuance of a refresh token is not permitted with the implicit grant type and it at the discretion of the authorization server for the other gran types.
The OpenID Connect specification is a bit more restrictive by mentionning that the authorization server MUST ignore the offline_access request unless the Client is using a response_type value that would result in an Authorization Code being returned.
Anyway, those specifications permit the issuance of a refresh token for a public client if the refresh tokens can receive an acceptable level of protection.
Possible threats are identified and countermeasures could be (non-exhaustive list):