Support » Plugin: WP OAuth Server (OAuth Authentication) » Client credentials no Refresh token

  • Resolved 21stcn

    (@21stcn)


    I am a pro subscriber of the plugin. When I use user credentials, I successfully get a token and a refresh token at oauth/token:

    Request body

    
    {
    	"grant_type": "password",
    	"username": "email@gmail.com",
    	"password": "password"
    }
    

    Response

    
    {
      "access_token": "w2yktpqbivko8zggttalpuyxf1rv9sczyj2unw0f",
      "expires_in": 604800,
      "token_type": "Bearer",
      "scope": "basic",
      "refresh_token": "lbyvmr6u2b8iggiquc87bbckzxy5a6dpuztpetxp"
    }
    

    However, when I use the client credentials grant type, no refresh token is returned.

    Request body

    
    {
    	"grant_type": "client_credentials"
    }
    

    Response

    
    {
      "access_token": "zkn86ir4bhkjczlxxxxzddy7yewx4fxsnoued21",
      "expires_in": 604800,
      "token_type": "Bearer",
      "scope": "basic"
    }
    

    In Edit Client settings for the client, Client Credentials and Refresh Token are both checked under Allowed Grant types.

    Client settings

    In Settings, under Advanced Configuration, Refresh Tokens is checked.

    General settings

    So for the client with Client Credentials and Refresh token, no refresh token is being returned. I’ve checked the settings numerous times. This doesn’t seem to make any sense. Am I doing something wrong or misunderstanding something?

    • This topic was modified 8 months ago by 21stcn.
    • This topic was modified 8 months ago by 21stcn.
    • This topic was modified 8 months ago by 21stcn.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Justin Greer

    (@justingreerbbi)

    Forum Moderator

    Hi,

    I will answer this support issue here publicly as to why there is no refresh token for client credential grant type requests because I believe this response is for the community version as well.

    Our team has decided to strictly follow the Engineering Task Forces drafts for the use of OAuth2. If you have a look at https://tools.ietf.org/html/rfc6749#section-4.4.3 you will notice the draft states that there is no refresh token to be given for a client credential request.

    If the access token request is valid and authorized, the
    authorization server issues an access token as described in
    Section 5.1. A refresh token SHOULD NOT be included.

    We did investigate the possibility of and adding this feature in but was cautioned by our colleagues with the Internet Engineering Task Force due to security issues it could bring.

    We are not set against adding it into the plugin at this point but saw no need to add it in up until your support request. The term “SHOULD NOT” does not mean “WILL NOT” to us and we will have another look at the request.

    Please provide clear reasoning as to why you believe your setup and project would require and be secure with Client Credential refresh tokens. We are always open to constructive feedback and working with those that provide a logical reason behind needing or wanting to branch from the IETF’s draft or OAuth 2.0.

    I am looking forward to hearing back from you.

    Thanks!

    I have no opinion about whether a refresh token should be provided for client credentials. I am no expert and I did not claim to be nor did I write an oauth2 plugin. You did, and in your documentation you specify that an example response returns a refresh token. This is the page: https://wp-oauth.com/docs/general/grant-types/client-credentials/

    If it is changed since, here is a screenshot.

    A successful response will contain the following.

    {
      "access_token": "apvwxkbcxrnm9o92wmp4yjlbmoajeycfbn4ws6nx",
      "expires_in": 9087654,
      "token_type": "Bearer",
      "scope": "basic",
      "refresh_token": "z8wpp3pshgled4d81b4z8dmlc6ftwdscpgktyh7u"
    }

    I was only working to your documentation which I transcribed into documentation for the app develops. Refresh token for client credentials is not a feature request from me, I don’t know or care about the IETF draft, I was working with what you specified was a mandatory response for your plugin in the official docs.

    While you are overhauling your site and support system, could you also make a note to make sure your documentation is accurate. Thanks.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    I am a pro subscriber of the plugin.

    I am sorry, but the author cannot support you here. No author is allowed to do that here.

    For pro or commercial product support please contact the author directly on their site. This includes any pre-sales topics as well.

    As the author is aware, commercial products are not supported in these forums. I am sure they will have no problem supporting you there.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Client credentials no Refresh token’ is closed to new replies.