OAuth Client Credential Flow - Refresh Tokens

11
votes

The Scenario

I've recently built an API, and have protected its resources using OAuth Bearer Access Tokens.

I've used the Client_Credentials Flow, as it will be accessed by clients as opposed to users.

Here's the thing, when a client has successfully provided the client_id and the client_secret they receive a response like the following :-

{
  "access_token": "<Access Token>",
  "token_type": "bearer",
  "expires_in": 1199,
  "refresh_token": "<Refresh Token>"
}

Refresh Tokens.

Not knowing much about refresh tokens, i immediately assumed that a client would be able to provide the OAuth Server the refresh_token to retrieve a fresh Access_Token.

This is 'kind of' correct.

In order to use the refresh_token the client still needs to pass the client_id and client_secret along with the refresh_token to get a new access token.

The grant_type also needs to be changed to refresh_token.

Where is the benefit of a refresh_token using this flow? If I need to pass the client_id and client_secret each time, surely you would just avoid using a refresh token altogether?

3
oauth-2.0oauth
This question has nothing specifically to do with C#/ASP.Net and it applicable to anyone building an OAuth2 API. I have edited it to make it more widely applicable. (Great question!)Chuck Le Butt

3 Answers

22
votes

The issuance of a refresh token with the client credential grant has no benefit. That is why the RFC6749 section 4.4.3 indicates A refresh token SHOULD NOT be included. Thus its issuance is at the discretion of the authorization server.

From my point of view an authorization server should never issue a refresh token with the client credentials grant as the access token issuance process will take an additional and unnecessary step:

Issuance with the client_credentials grant type:

  • Step one: client authentication (client secret, assertion...)
  • OK access token is issued

Issuance with the refresh_token grant type:

  • Step one: client authentication (client secret, assertion...)
  • Step two: refresh token verification (expiration time, associated client...)
  • OK access token is issued
0
votes

-3

The benefit is that he request token normally has a much longer life span than the access token.

Access token is used in communicating with the resource server. Request token is used when communicating with the authorization server.

You could read this as that you may be authorized but that the exact extend of your authorization needs to be reevaluated from time to time. So request token has it use.

-3
votes

The benefit is that he request token normally has a much longer life span than the access token.

Access token is used in communicating with the resource server. Request token is used when communicating with the authorization server.

You could read this as that you may be authorized but that the exact extend of your authorization needs to be reevaluated from time to time. So request token has it use.