Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is a refresh_token not provided by OAuth2 servers responding to a "client_credentials" grant?

Tags:

I'm reading the OAuth2 spec:

https://www.rfc-editor.org/rfc/rfc6749#section-4.4.2

Specially the section on client_credentials grant type.

If the access token request is valid and authorized, the
authorization server issues an access token as described in Section 5.1.
A refresh token SHOULD NOT be included. If the request failed client authentication or is invalid, the authorization server returns an error response as described in Section 5.2.

An example successful response:

 HTTP/1.1 200 OK
 Content-Type: application/json;charset=UTF-8
 Cache-Control: no-store
 Pragma: no-cache

 {
   "access_token":"2YotnFZFEjr1zCsicMWpAA",
   "token_type":"example",
   "expires_in":3600,
   "example_parameter":"example_value"
 }

`


I'm somewhat confused why an authorization server can return refresh_tokens for password grant types but not for client_credentials.

I'm guessing that it has something to do with the fact that the refresh_token can be exchanged for an access_token and because the client_credentials grant type does not require a username and password, in the event that your application keys and refresh_token is compromised revocation becomes much more difficult?

like image 876
Layke Avatar asked Mar 24 '15 13:03

Layke


People also ask

Why does the client credentials grant type not use refresh tokens?

The token endpoint does not issue a refresh token as refresh tokens are not supported by the client credentials grant. The client credentials grant type is less secure than the authorization code grant type.

How do I get an access token response?

OAuth: The Videocourse For Dummies If the token access request is invalid or unauthorized, then the authorization server returns an error response. The access token is given by the authorization server when it accepts the client ID, client password and authorization code sent by the client application.

Does client credentials have refresh token?

A refresh token is not returned for a client credentials grant. The client application uses the access token to request a resource o the resource server. The resource server checks with authorization server to make sure the access token is valid.

What does invalid OAuth 2.0 access token mean?

If the access token request is invalid, such as the redirect URL didn't match the one used during authorization, then the server needs to return an error response. Error responses are returned with an HTTP 400 status code (unless specified otherwise), with error and error_description parameters.


2 Answers

When using the client credentials grant, the client application authenticates to the authorization server using its client id and client secret. It gets back an access token for the resource if authorized. There's no user interaction in this scenario, so there's no need to issue a refresh token.

When the access token expires, the client can use its own credentials to request a new token. Refresh tokens are used when the client want to access a resource on behalf of the user (which may not be interacting with the client at that time).

In this case, the client is acting on its own behalf.

like image 161
MvdD Avatar answered Sep 28 '22 10:09

MvdD


When applying the Resource Owner Password Credentials grant, it makes sense to return a refresh token so that the client does not need to store or cache the Resource Owner's password - as initially provided by the Resource Owner in an interactive fashion - to get a new access token.

In the Client Credentials flow, the client's credentials are provided from storage anyway - in an off-line fashion - so the refresh token does not gain any security or usability advantage over just re-using the client credentials again (the client has access to those anyway) to get a new access token.

like image 31
Hans Z. Avatar answered Sep 28 '22 10:09

Hans Z.