Device flow + refresh token - is client secret really required?

I was familiarising myself with the device flow and made the following project to demo how to acquire the device/user code, and then how to use the refresh token to acquire an access token: test-device-flow

When I was doing so I was a little puzzled by the Auth0 docs @ Call Your API Using the Device Authorization Flow. They include guidance that Client Secret should be included when using the refresh token. This sounded odd - because if this is a native or a web application and we have to ship the client secret then that defeats the purpose of it being a “secret”. I retried my sample without any mention of the client secret, and it worked just fine.

Is this documentation maybe wrong or out of date?

The file on GitHub is: docs/refresh-tokens.md at master · auth0/docs · GitHub, and the commit that introduced this is the most recent change to that file: fe1d151d4fd44ca17179b47de82977ec92959ec6

The reason I’m asking is because I suspect many people will be exposing this Client Secret by following this guidance, possibly unnecessarily.

Hey there @sean.mclemon1!

Thanks a bunch for pointing this out - The client secret is certainly not required in the context of a native app as you’ve noticed/pointed out. I believe this documentation takes into account that the device flow can be used for a confidential client, but that is certainly not the primary use-case and the documentation reads that way. I’m going to request the docs are updated to clarify.

Thanks again! :pray:

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.