Understanding Laravel Passport refresh token

0
votes

I am trying to understand how to use Laravel Passport with email and password.

I know that I should not store client_id & client_secret on client side. I wrote my own login and it's working as expected, in return I get the accesstoken, but I can't think of a way to refresh this token without storing client_id & client_secret on client. Or is there no way to refresh the accesstoken without client_id & client_secret?

Also have read How to use Laravel Passport with Password Grant Tokens? but there is no clear answer for me how and if it is possible to refresh token.

Thanks for helping!

1
phplaraveloauthlaravel-passport

1 Answers

1
votes

https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/

Typically, refresh tokens are only used with confidential clients. However, since it is possible to use the authorization code flow without a client secret, the refresh grant may also be used by clients that don’t have a secret. If the client was issued a secret, then the client must authenticate this request. Typically the service will allow either additional request parameters client_id and client_secret, or accept the client ID and secret in the HTTP Basic auth header. If the client does not have a secret, then no client authentication will be present in this request.

This means that refresh tokens might not be the right choice for a client app that should not store credentials.