You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current implementation of OAuth2AuthorizationCodeAuthenticationProvider will issue a refresh token to a public client (authenticated via PKCE). This should not be allowed as there are a number of inherent risks with public clients and issuing a refresh token increases the risk to another level.
However, this capability may be introduced at a later point by implementing best practices outlined in OAuth 2.0 for Browser-Based Apps.
jgrandja
changed the title
OAuth2AuthorizationCodeAuthenticationProvider should not issue refresh token to public clients
OAuth2AuthorizationCodeAuthenticationProvider should not issue refresh token to public client
May 20, 2021
The current implementation of
OAuth2AuthorizationCodeAuthenticationProvider
will issue a refresh token to a public client (authenticated via PKCE). This should not be allowed as there are a number of inherent risks with public clients and issuing a refresh token increases the risk to another level.However, this capability may be introduced at a later point by implementing best practices outlined in OAuth 2.0 for Browser-Based Apps.
Related gh-297
The text was updated successfully, but these errors were encountered: