fix: Move refresh rotate check to refresh flow #2437
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add client_auth_method to access token always but allow refresh (without secret) only if token before was client_auth=none and client has rotate=true for refresh tokens
Refactor feature from #2402
During dev/test of #2435 found that it is a bad idea to combine the setting at the begin with rotate. So the access_token should have client_auth_method=none always if there was no secret (or empty secret)
Later in refresh flow the check should be done if rotate=true and then allow refresh without secret