We would like to use the oauth2 module and hash our clients secrets.
I wonder why do we have to provide the client_secret in order to user refresh authentication/authorization if the point of that is not to ask the client for further data.
I think there is something I’m missing here.
Thank you in advance,
Vino.
Hi Vino,
From what I have read, it is a requirement to include client_secret.
Below RFC describe how refresh token works.
https://datatracker.ietf.org/doc/html/rfc6749#section-1.5
(G) The client requests a new access token by authenticating with
the authorization server and presenting the refresh token. The
client authentication requirements are based on the client type
and on the authorization server policies.
(H) The authorization server authenticates the client and validates
the refresh token, and if valid, issues a new access token (and,
optionally, a new refresh token).
When you are requesting a new access token with refresh token, client authentication is required based on client type.
If we read more here:
If the client was issued a secret, then the client must authenticate this request.
I hope this info helps you to understand.