Device flow + refresh token - is client secret really required?

I was familiarising myself with the device flow and made the following project to demo how to acquire the device/user code, and then how to use the refresh token to acquire an access token: test-device-flow

When I was doing so I was a little puzzled by the Auth0 docs @ Call Your API Using the Device Authorization Flow. They include guidance that Client Secret should be included when using the refresh token. This sounded odd - because if this is a native or a web application and we have to ship the client secret then that defeats the purpose of it being a “secret”. I retried my sample without any mention of the client secret, and it worked just fine.

Is this documentation maybe wrong or out of date?

The file on GitHub is: docs/refresh-tokens.md at master · auth0/docs · GitHub, and the commit that introduced this is the most recent change to that file: fe1d151d4fd44ca17179b47de82977ec92959ec6

The reason I’m asking is because I suspect many people will be exposing this Client Secret by following this guidance, possibly unnecessarily.

Hey there @sean.mclemon1!

Thanks a bunch for pointing this out - The client secret is certainly not required in the context of a native app as you’ve noticed/pointed out. I believe this documentation takes into account that the device flow can be used for a confidential client, but that is certainly not the primary use-case and the documentation reads that way. I’m going to request the docs are updated to clarify.

Thanks again!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.