I am learning Oauth grant types.I have observed that refresh token is applicable only for authorization Code and Resource Owner Password Credential Grant . My question is why it is applicable only for authorization Code and Resource Owner Password Credential Grant and not for Implicit and client credentials Grant?
2 Answers
1
votes
Refresh tokens should only be issued to clients that can authenticate themselves when using it.
The authorization code grant is intended to be used by confidential clients (client that can keep a secret). And the use of the refresh token should be authenticated using client credentials.
The resource owner password credentials flow issues a refresh token, so that the client does not have to keep the user's username and password around. It can use the refresh token to get a new access token.
The implicit grant was intended to be used by public clients (who cannot keep a secret). Since they cannot keep a secret, there's no way for these clients to have client credentials used with the refresh grant.
And finally, the client credential flow does not need a refresh token, as it can just use the client credentials to get a new access token when the old one expired.
0
votes
if you are using v5 you can use https://docs.spring.io/spring/docs/5.0.0.M5_to_5.0.0.RC1/Spring%20Framework%205.0.0.RC1/org/springframework/web/cors/CorsConfiguration.html
CorsConfiguration#applyPermitDefaultValues
or you can use
@RestController
@CrossOrigin(origins = "*", methods= {RequestMethod.GET,RequestMethod.POST})
public class HelloRESTController {
