How to get Refresh Token from Spring Authorization Server sample
The official sample Spring Authorization Server returns an access_token and id_token by default for Oauth 2.1 with PKCE
Is it possible that the endpoint /oauth2/token also returns a refresh_token in the response? What changes or configuration would I need in the sample for getting a refresh_token?
Here's a Postman request for the token
I will also mention a few changes I had to make for Code Flow with PKCE
Disabled CSRF
http
.authorizeRequests(authorizeRequests ->
authorizeRequests.anyRequest().authenticated()
)
.formLogin(withDefaults())
.csrf().disable();
Changed ClientAuthenticationMethod.CLIENT_SECRET_BASIC to ClientAuthenticationMethod.NONE
Changed requireAuthorizationConsent(true) to requireProofKey(true)
You mention using the Authorization Code Flow with PKCE, which is valid for confidential clients as well as public clients. However, when using a public client (client authentication method = none, no client secret), refresh tokens are not issued.
From #297 Implementation guidelines for Browser-Based Apps (SPA):
Refresh Tokens for Public Clients
There are no plans to implement refresh tokens for Public Clients, as there are no browser APIs that allow refresh tokens to be stored in a secure way, which would result in an increased attack surface.
See #297 for more information about refresh tokens, which is heavily based on recommendations from OAuth 2.0 for Browser-Based Apps and OAuth 2.0 Security Best Current Practice. The recommendation when using a public client is to use the "backend for frontend" pattern. The BFF will be a confidential client and can receive refresh tokens while also removing the complexity and risk of managing and storing tokens in the browser.
- How to install spring-boot-starter-security dependency
- Spring Boot adds 'es' to the links
- Spring Boot - Return an empty array of objects
- Do we have XSDs particularly for Spring 5.x?
- Spring + Ehcache : How to cache find all result
- Equivalent to DataJpaTest for Spring Data's ReactiveCrudRepository and R2DBC
- How to return values of only one parameter in GetMapping?
- Find/Remove in @DBref list items in MongoDB for Spring
- Name for argument of type [java.lang.String] not specified, and parameter name information not available via reflection
- How to return 404 response status in Spring Boot @ResponseBody - method return type is Response?
- UnsatisfiedDependencyException: Error creating bean with name
- Cannot load configs from Config Server - No suitable HttpMessageConverter
- How to start HSQLDB in server mode from Spring boot application
- not able to call upload file API using RestTemplate
- Add SoapHeader to org.springframework.ws.WebServiceMessage
- How to avoid block from Reactive Service in Spring Integration Flow?
- What are the arguments while extending JpaRepository<T, ID>
- The lookup from the cache into processor is taking lot of time - Spring Batch project
- Prevent JPA from changing DB column data type
- Is it possible to use @Transactional and kotlin coroutines in spring boot?
- Junit mock is not working for mockito call
- Spring Boot application is encountering a NullPointerException after running for a while
- Map as parameter in RestAPI Post request
- Disabling JMX in a spring application
- Could not instantiate bean class: Specified class is an interface
- Implementing custom methods of Spring Data repository and exposing them through REST
- RestClientException: Could not extract response. no suitable HttpMessageConverter found
- SAXParseException; src-resolve: Cannot resolve the name '...' to a(n) 'type definition' component
- Is it good idea to use the DAO design pattern with spring Boot, instead of using repository design pattern provided by spring data jpa?
- java.lang.IllegalArgumentException: Not a managed type: @Entity