oauth2-server icon indicating copy to clipboard operation
oauth2-server copied to clipboard

Published 20 hours ago verified publisher icon clouway

oauth2: refresh token of public clients

Open mgenov opened this issue 7 years ago • 1 comments

Currently refreshing of access token requires passing of Authorization header with base64(client:secret) and refresh_token parameter. As this is not a good idea secrets to be kept native they should be able to provide only public client id instead of whole set of params.

Here is a complete request flow:

POST /o/oauth2/v1/token HTTP/1.1
Host: accounts.telcong.com
Content-Type: application/x-www-form-urlencoded

client_id=<your_client_id>&
client_secret=<your_client_secret>&
refresh_token=<refresh_token>&
grant_type=refresh_token

Note: The client secret value is not needed for clients registered as Android, iOS, or Chrome applications, e.g public clients

mgenov avatar Aug 16 '17 15:08 mgenov

It's currently supported but it's hard to read as it was added as condition in the ClientAuthenticationCredentialsRequest: https://github.com/clouway/oauth2-server/blob/762904fd3448970b0120a0e08466ea3df1ea00eb/oauth2-server/src/main/java/com/clouway/oauth2/ClientAuthenticationCredentialsRequest.java#L45

As the same implementation is used for authentication and tokens it should work as expected.

Better readability could be reached with separate implementations of authentication of Public Clients and Password Based clients.

mgenov avatar Aug 17 '17 07:08 mgenov