[Openid-specs-ab] Hybird flow refresh tokens with javascript clients

David Waite david at alkaline-solutions.com
Sun Jul 29 03:36:07 UTC 2018

> On Jul 28, 2018, at 6:32 PM, Nat Sakimura via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:

> A public client cannot get refresh token. 
> Assuming that you mean "a client working within a browser using JavaScript" by "a JavaScript Client" since it is a public client, it cannot get a refresh token. 

I’m not familiar with this restriction, my understanding is that it is valid and in fact not uncommon for public clients to get and use refresh tokens. RFC 6749 for example does not state such a restriction, and even language around differing behavior with confidential clients vs public clients:
   "Because refresh tokens are typically long-lasting credentials used to
   request additional access tokens, the refresh token is bound to the
   client to which it was issued.  If the client type is confidential or
   the client was issued client credentials (or assigned other
   authentication requirements), the client MUST authenticate with the
   authorization server as described in Section 3.2.1”

There are quite legitimate reasons for public clients to have refresh tokens, and quite a few mobile apps which already are using refresh tokens.

With SPA clients for instance, it allows you to extend access without hidden Iframe tricks (and thus could be a workaround to ITP 2.0 blocking state access on XHR / frames / non-interactive redirects, and such forms of cross-domain access causing IDPs to be flagged as trackers)


More information about the Openid-specs-ab mailing list