Spring Security OAuth 2 implicit grant - No support for refresh token

Question

Spring Security OAuth 2 implicit grant does not support refresh token. How is the scenario handled when access token expires at client side?

Answer 1

The implicit flow does not grant the client a refresh token. This means that when the Access Token expires, the client has to redirect to the authorization link again.

When the access token expires, you will receive a 401 Unauthorized when requesting the protected resource (for example an API method):

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="Some Realm Name", error="invalid_token",error_description="Invalid token: 12f55216-0fe0-422e-a473-356e03a3489b"
Content-Type: application/xhtml+xml;charset=UTF-8

<oauth><error_description>Invalid token: 12f55216-0fe0-422e-a473-356e03a3489b</error_description><error>invalid_token</error></oauth>

Your application has to react and request a new access token by calling

/oauth/authorize?response_type=token&client_id=your-client-id

again.

4.2. Implicit Grant

"The implicit grant type is used to obtain access tokens (it does not support the issuance of refresh tokens) and is optimized for public clients known to operate a particular redirection URI. These clients are typically implemented in a browser using a scripting language such as JavaScript."

4.2.2 Implicit Grant response

"The authorization server MUST NOT issue a refresh token."