How to get Refresh Token from Spring Authorization Server sample

Question

The official sample Spring Authorization Server returns an access_token and id_token by default for Oauth 2.1 with PKCE

https://github.com/spring-projects/spring-authorization-server/tree/main/samples/default-authorizationserver

Is it possible that the endpoint /oauth2/token also returns a refresh_token in the response? What changes or configuration would I need in the sample for getting a refresh_token?

Here's a Postman request for the token

I will also mention a few changes I had to make for Code Flow with PKCE

Disabled CSRF

http
    .authorizeRequests(authorizeRequests ->
        authorizeRequests.anyRequest().authenticated()
    )
    .formLogin(withDefaults())
    .csrf().disable();

Changed ClientAuthenticationMethod.CLIENT_SECRET_BASIC to ClientAuthenticationMethod.NONE

Changed requireAuthorizationConsent(true) to requireProofKey(true)

Answer 1

You mention using the Authorization Code Flow with PKCE, which is valid for confidential clients as well as public clients. However, when using a public client (client authentication method = none, no client secret), refresh tokens are not issued.

From #297 Implementation guidelines for Browser-Based Apps (SPA):

Refresh Tokens for Public Clients

There are no plans to implement refresh tokens for Public Clients, as there are no browser APIs that allow refresh tokens to be stored in a secure way, which would result in an increased attack surface.

See #297 for more information about refresh tokens, which is heavily based on recommendations from OAuth 2.0 for Browser-Based Apps and OAuth 2.0 Security Best Current Practice. The recommendation when using a public client is to use the "backend for frontend" pattern. The BFF will be a confidential client and can receive refresh tokens while also removing the complexity and risk of managing and storing tokens in the browser.