This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

VerifyRefreshToken during introspection call from Okapi2 to Okapi1

Posted on 04-06-2018 08:20 PM
Not applicable
Reply posted on --/--/---- --:-- AM

I have a requirement where a client needs to refresh the access token issued for a different client.

ClientA - Dev app on boarded on Okapi1 (EPIC).

ClientB - Okapi2 (AWS) on boarded as a client on Okapi1.

On Okapi1 both are on boarded as app, now clientB is nothing but it is OKpai2 which is onboarded on okapi1 and doing the introspection call to okapi1 to verify the refresh-token and get the information stored inside the custom attributes of the associated accesstoken.

Currently, in OAuth V2 am using RegeshAccessToken operation which fails w/o clientA creds.

Is it possible that ClinetB can verify the refesh token without usung ClientA creds?

0 1 97
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

Not clear what your requirement is. Maybe taking it slower, showing a diagram, explaining in more detail might help.

BUT, having said that, NO, in general one client cannot refresh an access token that has been obtained by a different client. If that were allowed, it would be a massive security problem.