We would like to use the oauth2 module and hash our clients secrets.
I wonder why do we have to provide the client_secret in order to user refresh authentication/authorization if the point of that is not to ask the client for further data.
(G) The client requests a new access token by authenticating with
the authorization server and presenting the refresh token. The
client authentication requirements are based on the client type
and on the authorization server policies.
(H) The authorization server authenticates the client and validates
the refresh token, and if valid, issues a new access token (and,
optionally, a new refresh token).
When you are requesting a new access token with refresh token, client authentication is required based on client type.
If we read more here:
If the client was issued a secret, then the client must authenticate this request.