[Openid-specs-ab] Hybird flow refresh tokens with javascript clients

SureshAtt suresh.attanayake at gmail.com
Sat Jul 28 22:30:54 UTC 2018

Hello everyone,

Is it expected that Javascript clients are allowed to get refresh tokens
using hybrid flow?

According to the OIDC spec and to the Multiple Response Types Encoding
Practice spec, in the hybrid flow the authoriation code by default is
returned with fragment encoding (query encoding must not be used). This
means a Javascript client can get hold of the authorization code and use it
to get a refresh token. With this refresh token, the Javascript client can
keep refreshing access tokens using the "none" client authentication

However, the OAuth2 spec (section 10.4) says "*Refresh tokens MUST be kept
confidential in transit and storage*". But Javascript clients are by nature
public clients which are unable to keep the refresh tokens confidential.
And neither OIDC spec security considerations section nor the OAuth2 Threat
Model spec cover the case where the refresh tokens are stored in a JS
client, for example against tampering the refresh token stored in the local

Therefore I am not clear if it is expected to use refresh tokens with
Javascript clients or not. Please help me to clearify this point.

Thanks & regards,
Suresh Attanayake
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180729/2f1a8683/attachment.html>

More information about the Openid-specs-ab mailing list