Firstly: I can successfully make calls to
http://localhost:7791/connect/token POST
grant_type=refresh_token
&refresh_token={refresh_token}
&client_id=resource-owner-client
&client_secret=secret
and this returns a new access_token, refresh_token, expires_in, and token_type.
However, I want to do it without a client_secret. In my case my clients are remote applications that have been issued a starting access_token, refresh_token, etc.
using this call.
http://localhost:7791/connect/token POST
grant_type=password
&scope=arbitrary offline_access
&client_id=resource-owner-client
&client_secret=secret&username=rat&password=poison
The initial call is trusted and the secrets know, but downstream usage of the refresh_token should not require the client_secret.
How can I configure this or where would I have to code my own abstraction to make things work this way?
Not out of the box.
You could implement that using an extension grant.
https://identityserver4.readthedocs.io/en/release/topics/extension_grants.html