Get refresh token from client_credentials flow

developer9 · November 5, 2020, 1:04pm

Hi,
It’s possible get refresh token from client_credentials request? I have been testing set scope param to offline_access and retrieve following response…

{
“error”: “access_denied”,
“error_description”: “Client has not been granted scopes: offline_access”
}

I have been thinking other way to get refresh token using access token but I have not found any endpoint or similar to do it

john.gateley · November 5, 2020, 2:07pm

Hi @developer9

I don’t know the answer to your question, but I am wondering why you are taking this approach.

Refresh tokens are used (in one scenario) when the user is not there to re-enter their credentials (thus the name “offline_access”). With Client Credentials, the application IS there to provide credentials. Why are you using a refresh token here? You can get a new CC token instead.

John

developer9 · November 5, 2020, 2:34pm

Hi @john.gateley,

Problably I’m wrong using this way, I’m go to explain better. I have a app, the user should enter their credentials first time but then I want use refresh tokens when the session expired to avoid re-enter the credentials. When I try use refresh_token grant_type the refresh_token param must be specified (I suppose with the old refresh token). So, How can i get a refresh token?

Do you think it would be better to use another flow for my case?

Thanks!

nra · January 28, 2022, 1:46pm

Vote up for this topic.
@developer9 never got an answer to this.
I have the same question. So,

Using my CC, I want to obtain the access_token along with a refresh_token
When the access_token times out, I would expect to use the expired access_token with the refresh_token to obtain a new access_token.

To my understanding this is “normal” way of doing it, but I fail to get it to work with the current documentation.
Please revert back with some info on both matters.
Regards,
Nikolaj

john.gateley · January 28, 2022, 3:21pm

Hi @nra

With client credentials, you don’t need a refresh token. You just get a new access token by re-running the client credentials grant.

John

nra · January 31, 2022, 8:23am

Hi

Thanks for the reply, @john.gateley.
What makes the CC grant different from the U/P grant, when it comes to refresh tokens?
When using the CC grant you’re exposing your credentials. I’d like to minimize that. Same goes for the U/P grant.

Thanks

Nikolaj

john.gateley · January 31, 2022, 2:03pm

Hi @nra

The CC grant is intended for use by secure clients (the server), exchanging their credentials for the access token. Thus, the credential “exposure” is not the same as for U/P.

If your CC credentials are at the same risk as U/P, you probably shouldn’t be using CC.

John