0

I'm reading about refresh tokens: https://auth0.com/learn/refresh-tokens/. I'm building an Authentication Server (AS) myself.

To get a refresh token from a email/password authentication, the client app sends 4 pieces of information:

  • client id
  • client password
  • user email
  • user password

My question is: how does the AS pass the client id and password to the client app?

My first idea: is the password generated randomly beforehand and hard-coded in every client app? Why is the client id needed then?

My 2nd idea: the client app on first startup hits the AS to gets its client id/password, and uses this pair to get all future refresh tokens. But it isn't secure, as any hacker can hit this same endpoint.

Help appreciated.

jeanpaul62
  • 9,451
  • 13
  • 54
  • 94
  • It depends on the way you want to register client. Do you want dynamic client registration (2nd idea) or distribute the client id only to trusted clients (first idea)? – pedrofb Jul 17 '17 at 06:30
  • Which one is the common practice? – jeanpaul62 Jul 17 '17 at 06:34
  • 1
    Both are valid. It is a design decision. Take a look to the **optional** dynamic client registration protocol of Oauth2 https://tools.ietf.org/html/rfc7592. Also the way that an **optional** initial access token is delivered to client is ou of scope of oauth2. So decide yourself depending on your requirements – pedrofb Jul 17 '17 at 06:51

0 Answers0