Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RefreshTokenGrant requires client_secret also for non-confidential clients #1369

Open
PMawesome opened this issue Aug 26, 2023 · 3 comments · May be fixed by #1420
Open

RefreshTokenGrant requires client_secret also for non-confidential clients #1369

PMawesome opened this issue Aug 26, 2023 · 3 comments · May be fixed by #1420

Comments

@PMawesome
Copy link

RefreshTokenGrant::respondToAccessTokenRequest requires a client_secret, otherwise it will throw an exception (OAuthServerException::invalidClient). This does not make sense for non-confidential clients, as they are not able to send the client_secret.

@SherinBloemendaal
Copy link

Did you include the client_secret in the request payload? When it is not sent, it defaults to null, which causes the check to pass (referenced in League\OAuth2\Server\Grant\AbstractGrant at line 265).

@Sephster
Copy link
Member

Could you provide details about where the exception is being thrown from and we can check this. It should be noted that most implementations don't allow public clients to use the Refresh Token grant for enhanced security.

We explicitly skip client validation if the client if confidential for the auth code grant but don't do a similar check for the refresh token grant so I think you are correct in your assertion.

I'm unsure if we should support this though. Any further information about where the error is being thrown etc would be appreciated. Thank you

@meienberger
Copy link

Hello, I'm currently facing a similar challenge in our implementation. We use the Auth code grant to authenticate our micro-frontend application and we want to avoid re-doing a complete authorization flow each time our token reaches it's expiration. As per the specificatons it states that issuing a refresh token is at the discretion of the authorization server and in fact, a refresh token is issued when we request a token through the Auth Code grant flow but we cannot use it because of the limitation mentioned above. Is there a way for us to use this refresh token without a client secret?

Thanks for your time

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
4 participants