6

The official sample Spring Authorization Server returns an access_token and id_token by default for Oauth 2.1 with PKCE

https://github.com/spring-projects/spring-authorization-server/tree/main/samples/default-authorizationserver

Is it possible that the endpoint /oauth2/token also returns a refresh_token in the response? What changes or configuration would I need in the sample for getting a refresh_token?

Here's a Postman request for the token enter image description here

I will also mention a few changes I had to make for Code Flow with PKCE

Disabled CSRF

http
    .authorizeRequests(authorizeRequests ->
        authorizeRequests.anyRequest().authenticated()
    )
    .formLogin(withDefaults())
    .csrf().disable();

Changed ClientAuthenticationMethod.CLIENT_SECRET_BASIC to ClientAuthenticationMethod.NONE

Changed requireAuthorizationConsent(true) to requireProofKey(true)

Steve Riesenberg
  • 4,271
  • 1
  • 4
  • 26
abbas
  • 6,453
  • 2
  • 40
  • 36
  • Actually it does return a refresh token as well. Just checked on the recent changes of the sample you mentioned – Andrey Grigoriev May 26 '22 at 14:19
  • Can you provide additional details for how you're using the token endpoint and what your configuration is? As @AndreyGrigoriev said, the default sample (unchanged) does return a refresh token in the case of `authorization_code`. – Steve Riesenberg May 26 '22 at 21:42
  • @SteveRiesenberg I just included a snapshot for the Postman request for a token. – abbas May 27 '22 at 07:58
  • 1
    Thanks @abbas. Your question doesn't mention using a public client. The postman request doesn't appear to have credentials (though it may in the Headers section and I cannot see it). I'd recommend putting all of the information about your use case in the question as text and not a screenshot. Having said that, I believe I have answered the question with the assumption that you're using a public client. Hopefully that helps! – Steve Riesenberg May 27 '22 at 17:10

1 Answers1

8

You mention using the Authorization Code Flow with PKCE, which is valid for confidential clients as well as public clients. However, when using a public client (client authentication method = none, no client secret), refresh tokens are not issued.

From #297 Implementation guidelines for Browser-Based Apps (SPA):

Refresh Tokens for Public Clients

There are no plans to implement refresh tokens for Public Clients, as there are no browser APIs that allow refresh tokens to be stored in a secure way, which would result in an increased attack surface.

See #297 for more information about refresh tokens, which is heavily based on recommendations from OAuth 2.0 for Browser-Based Apps and OAuth 2.0 Security Best Current Practice. The recommendation when using a public client is to use the "backend for frontend" pattern. The BFF will be a confidential client and can receive refresh tokens while also removing the complexity and risk of managing and storing tokens in the browser.

Steve Riesenberg
  • 4,271
  • 1
  • 4
  • 26