Enable refresh_token usage for public clients #2138
Comments
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/184036829 The labels on this github issue will be updated when the story is started. |
|
Are you referring using the code_challenge without a client_secret? https://docs.cloudfoundry.org/api/uaa/version/76.5.0/index.html#overview |
|
Is an empty string solution sufficient for your need, or is there something more? It appears that the CF CLI uses the refresh endpoint using a public client as well: https://github.com/cloudfoundry/cli/blob/main/api/uaa/refresh_token.go#L48 |
|
@jwdomes I think you mean option from #1888 where you can omit client_secret in authz code flow. Because in refresh_token grant you are right, this is not prepared for public usage. |
|
@strehle - would there be any option to implement the refresh_token grant flow for public clients that makes use of the As it stands, the public client needs to make a call to the refresh endpoint within the lifetime of the auth token (for us that's 10 mins) or we're forced to make the user reauthenticate.
Does this imply that the |
|
@jwdomes yes I can do this, however the refresh would work for tokens which are received only via authorization_code. The cf client - typically used for "cf login" is if no changes are done a oauth2 client with an empty secret "" and "authorized_grant_types: password refresh_token". The term public and PKCE is bound to grant type "authorization_code". This combination should replace the implit flow. So my fix would allow a refresh flow only for such tokens. Tokens via password grant , e.g. "cf login " are bound to password grant and for this grant type the standard has no public usage allowed. btw: https://oauth.net/2.1/ is not official.
see: |
|
What is the currently recommended approach/library to authenticating frontends when using UAA? I have a frontend app and would like to use MSAL (official Microsoft auth package) for auth but it's not compatible since UAA doesn't support |
|
Hi, will work on it and provide this since problem understood. |
|
First PR ready: #2385 Next we then use this and check for refresh flow that public tokens can be refreshed |
|
created a PR #2402 and to be on safe side , also with standard
|
Does CF UAA have a configuration that allows for public clients who used PKCE in the authorization code grant flow (and thus don't have a
client_secret) to use arefresh_tokenwithout requiring aclient_secretin the refresh request?The text was updated successfully, but these errors were encountered: