About the Oauth2 Module

We would like to use the oauth2 module and hash our clients secrets.

I wonder why do we have to provide the client_secret in order to user refresh authentication/authorization if the point of that is not to ask the client for further data.

Screenshot from 2021-06-24 23-17-24

I think there is something I’m missing here.

Thank you in advance,

Hi Vino,

From what I have read, it is a requirement to include client_secret.

Below RFC describe how refresh token works.


   (G)  The client requests a new access token by authenticating with
        the authorization server and presenting the refresh token.  The
        client authentication requirements are based on the client type
        and on the authorization server policies.

   (H)  The authorization server authenticates the client and validates
        the refresh token, and if valid, issues a new access token (and,
        optionally, a new refresh token).

When you are requesting a new access token with refresh token, client authentication is required based on client type.

If we read more here:

If the client was issued a secret, then the client must authenticate this request.

I hope this info helps you to understand.

© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ