Reputation: 748
Oauth2 refresh_token confusion
Im using a 3rd party api server side, which generates an access_token and a refresh_token as per normal via a grant_type=password request. I'm confused because this api does not appear to support grant_type=refresh_token - I keep getting the unsupported grant type error. Does it even matter, when you can just handle unauthorized errors by re-firing the password grant request? is this typical for 3rd party api use?
Upvotes: 0
Views: 58
Answers (1)
Reputation: 23494
The reason that the resource owner password credentials grant issues a refresh token, is so that the client does not have to keep the password around in clear text for later use.
The client is supposed to collect username and password, use it to get an access and refresh token and discard the password.
Make sure to send a POST request with Content-Type set to application/x-www-form-urlencoded and include client credentials in a basic authorization header if your authorization server requires it. See RFC-6749 for an example.
Upvotes: 1
Related Questions
- What's the point of refresh token?
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- OAuth2: Should a refresh token be invalidated after receiving a new access token?
- is refresh the refresh token and refresh the access token pass the same parameter
- Understanding Google OAuth2 Refresh tokens
- How does a refresh_token work in OAuth2 authentication?
- Why refresh token has to be replaced when used?
- OAuth2: Update refresh token along with the access token or not?
- OAuth2 refresh token utility
- OAuth2 - unnecessary complexity with refresh token