Does refresh_token make sense with client credentials oauth flow?
I am testing keycloak for learning purposes. I am testing the client credentials flow token endpoint to return a jwt for rest api use.
The endpoint returns an access_token and a refresh_token (refresh token is disabled by default unless I enable it in console for the client). I can call the same token endpoint with a refresh token generated from the first client credentials call but it still requires a client secret.
Is it not possible to regenerate an access token in the client credentials flow with just a refresh token?
If not why would I ever bother to pass a grant_type of refresh_token - wouldn't I just call the client_credential flow again since they both require a client secret? I have to guess the answer will be that refresh tokens don't make sense to be used with client_credential flows?
token parameters:
refresh token parameters:
You guess right, refresh tokens don't make sense for the client_credentials grant type. Refresh tokens are used for interactive clients i.e a person. The idea of the refresh token is to remove the requirement for them to have to frequently re-authenticate e.g re-enter their username and password, whilst still allowing the token expiry time to be kept short. The reason you want to keep the expiry time short is that once it is issued it is usually not possible to revoke it. On the other hand if an account has been suspended or the password has been changed and a refresh token has been presented the reissuing of the token can be refused by the identity provider.
As the client credentials flow is used for machine to machine authentication frequently re-authenticating is not a problem. The OAuth RFC specifically states "refresh token SHOULD NOT be included." in the response for the client_credentials grant type.
- Error 400: invalid_scope with Postman and Google OAuth2
- Issues Adding SMTP.Send Permission to Azure Application for Office 365 SMTP
- PHP - How to get OAuth 2.0 Token
- UPS Outh Rating API return Invalid Authentication Information
- How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
- How to get Optum sandbox to authenticate with OAuth 2.0 using Java and okhttp
- Spring Boot redirection back to login page
- New Google place api using google OAuth, ask failed to refresh token
- Getting OAuth code challenge on loopback server
- How do I solve audience (aud) invalid claim error for downstream api service?
- oauth 2 parameters can only have a single value: scope
- #oauth2 security expressions on method level
- Calling spring authorization server OAuth2 REST endpoints
- Google AdWords API authorization raising AdsCommon::Errors::AuthError
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Passport - Node.js not returning Refresh Token
- AWS Cognito: Missing Scopes in Access Token with Custom UI and Device Remember Functionality for MFA
- Cross-client Google OAuth: Get auth code on iOS and access token on server
- How to generate GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET without a domain?
- Spring Gateway and OAuth
- OAuth Client Credential Flow - Refresh Tokens
- Django OAuth2 Authentication Failing in Unit Tests - 401 'invalid_client' Error
- Add OAuth authentication for HTTP request triggers
- OAuth2 implementation and user management Django
- How to enable a submit button if form fields are auto-filled by the browser using saved credentials on page load?
- AADSTS70000 Error When Requesting for Access Token
- Is storing an OAuth token in cookies bad practice?
- Spring OAuth2 client performs Back-Channel Logout with an expired ID token
- I/O error on GET request for "https://localhost/application/o/{name}/.well-known/openid-configuration": Connection refused
- Restrict Microsoft Azure App OAuth2.0 to Internal Users