Following this section on RFC 6749, the Authorization Server MUST NOT issue a refresh token for Implicit Grant flow.
https://tools.ietf.org/html/rfc6749#page-35
I'm planning to use Implicit Grant flow with Refresh Token in a single page application, avoiding to request a new authorization process for user each time the access token expires.
Could anybody to clearify the reason for this constraint in RFC ?
Thanks :)
Eduardo, In the implicit grant flow, the client is requesting access to a resource by way of a "User Agent", aka browser from the user. So a client wants to grab something, but needs the user to enter permissions for it. If the auth server provided a refresh token, then the client could skip asking the user for permission in the future and grant itself access forever (essentially reupping its token whenever it wants without user permission). So they forbid it in the flow because the "untrusted" client should only have access by way of having the user enter their credentials (thus only when the resource owner allows it).
