I was familiarising myself with the device flow and made the following project to demo how to acquire the device/user code, and then how to use the refresh token to acquire an access token: test-device-flow
When I was doing so I was a little puzzled by the Auth0 docs @ Call Your API Using the Device Authorization Flow. They include guidance that Client Secret should be included when using the refresh token. This sounded odd - because if this is a native or a web application and we have to ship the client secret then that defeats the purpose of it being a “secret”. I retried my sample without any mention of the client secret, and it worked just fine.
Is this documentation maybe wrong or out of date?
The file on GitHub is: docs/refresh-tokens.md at master · auth0/docs · GitHub, and the commit that introduced this is the most recent change to that file: fe1d151d4fd44ca17179b47de82977ec92959ec6
The reason I’m asking is because I suspect many people will be exposing this Client Secret by following this guidance, possibly unnecessarily.