node-oauth2-server
node-oauth2-server copied to clipboard
node-oauth
add refresh token to client_credentials saveToken
Summary
TLDR: fixes #350
For some reason, the library doesn't include the refresh token when saving the access token during client_credentials flows, but it does for the authorization_code flow. In the event that you need to generate tokens for anonymous users (guests), the client credentials grant is necessary, and the refresh token should be provided.
Linked issue(s)
#350
Involved parts of the project
client_credentials grant flow
Added tests?
No tests
OAuth2 standard
https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.17 (page 44) https://www.oauth.com/oauth2-servers/access-tokens/access-token-response/ (refresh token section)
Reproduction
Issue a token using client_credentials grant and see the refresh token now exists as it does for the authorization_code grant
@z1haze can you please run the tests and check for the failures. If this is a breaking change then we need to get deeper into this again, because we'd like to avoid breaking until 100% necessary.
tests fail with some errors on node 22: https://github.com/node-oauth/node-oauth2-server/actions/runs/18139166610/job/51696007624?pr=351
can you replicate this when running the tests locally?
Yeah, but I just patched it on my end. I dont have the time right now to through it here. Besides, I think i took a different route based on what your rules are. The fact that they are failing is because I'm returning a refresh token for ones issued with client _credentials, because our SAAS oauth provider works this way. I can see from your unit tests that you expect this not to be the case. I dont want to argue what's right or wrong. if you're curious here's the login service im using and refresh_token is returned, even for client_credentials grants. https://developer.salesforce.com/docs/commerce/commerce-api/references/shopper-login?meta=getAccessToken
@z1haze I can merge this into a separate branch and continue this work if that's okay for you.