Refresh token using client credentials

Hello everyone.

My use case is as follows.

  1. request refresh token using client credentials. Returns refresh token
  2. Use refresh token(without client credentials) to obtain access token.
From what I read: To validate a refresh token I need client credentials. That defeats my propose of not exposing the client credentials on every token generation.
Is there a way to implement my requirments?
Thank you
0 7 2,267
7 REPLIES 7

NO.

The issuance of a refresh token with the client credential grant has no benefit. That is why the RFC6749 section 4.4.3 indicates A refresh token SHOULD NOT be included.

I have read that. Don't you think that a refresh token is better than exposing Consumer Key and Consumer Secret every time you request a token?

Let me try, let say hypothetically ... when your access token gets expired, how would you get a new refresh token, using client_id and client_secret right? However if you can get access_token using same client_id and client_secret in one step why would you make an additional call to get a refresh_token. If this explanation does not help, I suggest following;

If you want to NOT expose the client secret for every token request, an alternative is to use an RFC7523 grant, which uses grant_type = "urn:ietf:params:oauth:grant-type:jwt-bearer"

Each client creates a self-signed JWT and sends THAT into the /token endpoint, to receive a client-credentials token.

This requires that you configure your platform to issue a public/private keypair for each client app, and distribute the private key to the client developer. The signature on the JWT proves to the token issuer (apigee) that the client is authentic.

Screencast

Github repo with sample code

If a client is using a JWT to get an access token on behalf of itself, grant_type should still be "client_credentials", where the JWT should be supplied in the "client_assertion" parameter with the "client_assertion_type" parameter being set to "urn:ietf:params:oauth:client-assertion-type:jwt-bearer". See https://tools.ietf.org/html/rfc7521#section-6.2

When the client is doing the same on behalf of a user, then grant_type becomes "urn:ietf:params:oauth:grant-type:jwt-bearer" and the JWT is provided in the "assertion" parameter.

yes, thank you for the input.

Thank you for the input.