RefreshTokenGrant requires client_secret also for non-confidential clients

[PMawesome]

RefreshTokenGrant::respondToAccessTokenRequest requires a client_secret, otherwise it will throw an exception (OAuthServerException::invalidClient). This does not make sense for non-confidential clients, as they are not able to send the client_secret.

[SherinBloemendaal]

Did you include the client_secret in the request payload? When it is not sent, it defaults to null, which causes the check to pass (referenced in League\OAuth2\Server\Grant\AbstractGrant at line 265).

[Sephster]

Could you provide details about where the exception is being thrown from and we can check this. It should be noted that most implementations don't allow public clients to use the Refresh Token grant for enhanced security.

We explicitly skip client validation if the client if confidential for the auth code grant but don't do a similar check for the refresh token grant so I think you are correct in your assertion.

I'm unsure if we should support this though. Any further information about where the error is being thrown etc would be appreciated. Thank you

[meienberger]

Hello, I'm currently facing a similar challenge in our implementation. We use the Auth code grant to authenticate our micro-frontend application and we want to avoid re-doing a complete authorization flow each time our token reaches it's expiration. As per the specificatons it states that issuing a refresh token is at the discretion of the authorization server and in fact, a refresh token is issued when we request a token through the Auth Code grant flow but we cannot use it because of the limitation mentioned above. Is there a way for us to use this refresh token without a client secret?

Thanks for your time