OAuth Client Credential Flow - Refresh Tokens

Question

The Scenario

I've recently built an API, and have protected its resources using OAuth Bearer Access Tokens.

I've used the Client_Credentials Flow, as it will be accessed by clients as opposed to users.

Here's the thing, when a client has successfully provided the client_id and the client_secret they receive a response like the following :-

{
  "access_token": "<Access Token>",
  "token_type": "bearer",
  "expires_in": 1199,
  "refresh_token": "<Refresh Token>"
}

Refresh Tokens.

Not knowing much about refresh tokens, i immediately assumed that a client would be able to provide the OAuth Server the refresh_token to retrieve a fresh Access_Token.

This is 'kind of' correct.

In order to use the refresh_token the client still needs to pass the client_id and client_secret along with the refresh_token to get a new access token.

The grant_type also needs to be changed to refresh_token.

Where is the benefit of a refresh_token using this flow? If I need to pass the client_id and client_secret each time, surely you would just avoid using a refresh token altogether?

Answer 1

The issuance of a refresh token with the client credential grant has no benefit. That is why the RFC6749 section 4.4.3 indicates A refresh token SHOULD NOT be included. Thus its issuance is at the discretion of the authorization server.

From my point of view an authorization server should never issue a refresh token with the client credentials grant as the access token issuance process will take an additional and unnecessary step:

Issuance with the client_credentials grant type:

• Step one: client authentication (client secret, assertion...)
• OK access token is issued

Issuance with the refresh_token grant type:

• Step one: client authentication (client secret, assertion...)
• Step two: refresh token verification (expiration time, associated client...)
• OK access token is issued