Refresh token for client_credentials grant type

Report Inappropriate Content · 02-07-2017 04:54 PM

Is there any way to generate refresh token for client_credentials grant type?

I believe current OAuth policy does not support refresh token for client credentials grant type.

I have a use case where the access token is generated authentication the user from IDM. It is not fully three-legged OAuth flow, but it is short cut to the three-legged OAuth flow where user credentials and API credentials are passed in the single call, no auth code is generated.

e,g call look like below .

POST /baas/oauth/token HTTP/1.1
Host: hpcorp-XXX-dev.apigee.net
Content-Type: application/x-www-form-urlencoded
Authorization: Basic XXXXmFzYWRtQGhwLmNvbTpXXXVlc0AxMjM=
apiKey=EXeXXXwJ9IK7qV53BpijqtAJ&apiSecret=ZQaeQtKm0XXwjqqKXXscope=ars&grantType=client_credentials

DChiesa

The client_credentials grant does not issue a refresh token. It makes no sense, as the client can simply get another token with the same client credentials.

I think what you want is called the password grant.

Look in Section 4.3 of RFC 6749.

In this case you must pass grant type as "password". Example:

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=johndoe&password=A3ddj3w

And do note that according to the specification, for the password grant, the Authorization header is used to pass the client credentials, and the user creds are passed in the form parameters.

I am not clear what I should conclude by your url path - /baas/oauth/token .

Is it BaaS that is issuing the token?

If you're using the built-in Apigee Edge policy, then what I wrote above is correct. If somehow you are using BaaS to generate the token, then there is more we need to discuss.