Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: Shouldn't the Client Credentials flow not include a refresh token in the response? #562

Closed
alronlam opened this issue Sep 23, 2015 · 1 comment
Closed

Question: Shouldn't the Client Credentials flow not include a refresh token in the response? #562

alronlam opened this issue Sep 23, 2015 · 1 comment
Assignees
@subnetmarco
Labels
plugins/oauth2

Comments

@alronlam
Copy link

Hi, I was trying out the Client Credentials flow with Kong and it returned a refresh token. I also tried obtaining another access token through the refresh token. However, I noticed that the client id and secret still had to be passed to Kong when doing so. And this got me thinking as to what advantage the refresh token has to offer in this case, because the client id and secret are still being passed to Kong.

If I understood this correctly, in the context of a Resource Owner Password Credentials Grant flow, the refresh token is useful so that we don't have to let the user re-authenticate. And that the OAuth2 spec requires passing the client id and secret so that if the refresh token gets compromised, the attacker still could not request for a new access token. And so the use of a refresh token seems to make sense for the ROPC flow.

However, for the Client Credentials flow, this doesn't seem to be the case, since we don't really need the refresh tokens because we're just authenticating the client.

So I ended up reading the Client Credentials flow here (https://tools.ietf.org/html/rfc6749#section-4.4) and I came across this section.

4.4.3. Access Token Response

If the access token request is valid and authorized, the
authorization server issues an access token as described in
Section 5.1. A refresh token SHOULD NOT be included. If the request
failed client authentication or is invalid, the authorization server
returns an error response as described in Section 5.2.

I'm not sure if my understanding is correct though. Would love to hear your thoughts on it.
@subnetmarco subnetmarco self-assigned this Sep 29, 2015
@subnetmarco
Copy link
Member

That's correct - let me push a fix for this.

subnetmarco added a commit that referenced this issue Oct 2, 2015
@subnetmarco
Closing #562
a7d962b
xvaara added a commit to xvaara/kong that referenced this issue Oct 3, 2015
@xvaara
Merge remote-tracking branch 'Mashape/master'
99c0227 
* Mashape/master: (23 commits)
  Update README.md
  Update README.md
  Closing Kong#562
  Adding wait time before ratelimiting tests
  Fixing test
  fix(jwt) handle `iss` not being found in jwt credentials
  Update README.md
  docs(update) remove redundancy
  docs(update) fix layout
  fix(test) fix config test after Kong#563
  Update README.md
  Adding missing statement for Kong#571
  perf(analytics) global optimizations
  fix(plugins) make default config for plugins an empty object
  Closes Kong#445
  dbocs(changelog) 0.5.0 changes
  Better content-type check in response-transformer plugin
  Closes Kong#535
  Fixes the root problem at Kong#565
  fix(key-auth) remove support for key in request body
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@subnetmarco subnetmarco

Labels
plugins/oauth2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@subnetmarco @bungle @alronlam @thibaultcha @sonicaghi