[Openid-specs-ab] Issue #1627: Pre-authz mode does not appear to allow credential refresh (openid/connect)
David Chadwick
issues-reply at bitbucket.org
Thu Sep 1 09:28:15 UTC 2022
New issue 1627: Pre-authz mode does not appear to allow credential refresh
https://bitbucket.org/openid/connect/issues/1627/pre-authz-mode-does-not-appear-to-allow
David Chadwick:
Because the pre-authz flow does not identify and authenticate the client according to the current protocol specification, then ?our?many? OAuth servers do not return a refresh token to the client \(only an access token\). This makes it difficult to use this mode of issuing with credentials such as mDL that are relatively short lived and not revocable. It means the user would frequently need to return to the issuer and start the whole issuing process again as the access token is short lived.
Is the lack of refresh token an implementation bug or is it correct behaviour implied by the OAuth2 spec?
More information about the Openid-specs-ab
mailing list