Token Use (Access) and Client Cred. and Res Own

[denissignoretto]

Client Cred. and Res Own release an access token without prompting for credentials.

The chapter "Token Use" talk about access token. In the last paragraph it's explained using the words "authorization code" but IMHO it's more appropriate the use of access token (if I'm not wrong the /token endpoint respond always with an access or refresh token).

[denissignoretto]

The same modification applies to 7.2 documentation

P.S. Refresh token usage should be added

[sez11a]

@stian-sigvartsen can you verify? Did I get the terminology wrong?

[stian-sigvartsen]

Hi @saz11a. Yes this amendment is correct. Thanks @denissignoretto ! I would only suggest that instead of..

In both cases users are NOT prompted for their passwords and receive an directly an access token.

.. we might consider something like ..

"In both cases the client will receive an access token immediately in the HTTP response, based on the credentials provided in the HTTP request."

[stian-sigvartsen]

p.s. About the refresh tokens, Client Credentials grant will not provide this (as per Spec https://tools.ietf.org/html/rfc6749#section-4.4.3 ) .

The Resource Owner Password Credentials grant will however provide one.

Like @denissignoretto mentioned we should cover their usage also. It only requires another request to the token endpoint:

https://[hostname]/o/oauth2/token?grant_type=refresh_token&client_id=[client ID]&client_secret=[client secret]&refresh_token=[refresh token]

More details here: https://tools.ietf.org/html/rfc6749#section-6