I'm reading the OAuth2 spec:
https://www.rfc-editor.org/rfc/rfc6749#section-4.4.2
Specially the section on client_credentials
grant type.
If the access token request is valid and authorized, the
authorization server issues an access token as described in Section 5.1.
A refresh token SHOULD NOT be included. If the request failed client authentication or is invalid, the authorization server returns an error response as described in Section 5.2.
An example successful response:
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"example_parameter":"example_value"
}
`
I'm somewhat confused why an authorization server can return refresh_tokens for password
grant types but not for client_credentials
.
I'm guessing that it has something to do with the fact that the refresh_token can be exchanged for an access_token and because the client_credentials grant type does not require a username and password, in the event that your application keys and refresh_token is compromised revocation becomes much more difficult?
The token endpoint does not issue a refresh token as refresh tokens are not supported by the client credentials grant. The client credentials grant type is less secure than the authorization code grant type.
OAuth: The Videocourse For Dummies If the token access request is invalid or unauthorized, then the authorization server returns an error response. The access token is given by the authorization server when it accepts the client ID, client password and authorization code sent by the client application.
A refresh token is not returned for a client credentials grant. The client application uses the access token to request a resource o the resource server. The resource server checks with authorization server to make sure the access token is valid.
If the access token request is invalid, such as the redirect URL didn't match the one used during authorization, then the server needs to return an error response. Error responses are returned with an HTTP 400 status code (unless specified otherwise), with error and error_description parameters.
When using the client credentials grant, the client application authenticates to the authorization server using its client id and client secret. It gets back an access token for the resource if authorized. There's no user interaction in this scenario, so there's no need to issue a refresh token.
When the access token expires, the client can use its own credentials to request a new token. Refresh tokens are used when the client want to access a resource on behalf of the user (which may not be interacting with the client at that time).
In this case, the client is acting on its own behalf.
When applying the Resource Owner Password Credentials grant, it makes sense to return a refresh token so that the client does not need to store or cache the Resource Owner's password - as initially provided by the Resource Owner in an interactive fashion - to get a new access token.
In the Client Credentials flow, the client's credentials are provided from storage anyway - in an off-line fashion - so the refresh token does not gain any security or usability advantage over just re-using the client credentials again (the client has access to those anyway) to get a new access token.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With