oauth2-server-php not returning refresh token

Question

Using this oauth2 library for PHP, I am validating a user via client_credentials like this:

server.php

$server = new OAuth2\Server($storage, [
'access_lifetime' => 3600, // 1 hour
'refresh_token_lifetime' => 50400, // 14 days
]);

$server->addGrantType(new OAuth2\GrantType\ClientCredentials($server->getStorage('client_credentials'), ['always_issue_new_refresh_token' => true])));

Then in my endpoint (token.php):

require_once __DIR__.'/server.php';    
$request = OAuth2\Request::createFromGlobals();
$server->handleTokenRequest($request)->send(); //returns the token object

Although a new access_token is returned, no refresh_token is returned:

{"access_token":"501a3d087db7532d4e4350402f9a5da332d71dfc","expires_in":3600,"token_type":"Bearer","scope":null}

How do you get the refresh_token?

Answer 1

This is a normal behaviour. With the Client Credentials grant type the refresh tokens are useless because the client can get a new access token by asking a new one when he wants.

Moreover I found a closed issue where the author of the library you use clearly explains that there is no bug here.

As mentioned in this answer, you will find in the RFC6749 section 4.4.3 that the refresh token SHOULD NOT be included.

You can also read this question and the accepted answer.

Answer 2

You must specify accessType: 'offline' in the OAuth2 options to receive a refresh token. If the former does not work try access_type: 'offline'.