Hi, I am from Workday working on the OAuth feature. We currently support PKCE based OAuth flow, but we currently do not support returning refresh token since client authentication is not possible without client_secret to exchange RT for AT for offline access. I do see pattern of using device_secret as part of OpenId Native SSO specification<https://openid.net/specs/openid-connect-native-sso-1_0-04.html> but not sure if this is the right pattern. Is there a recommendation on the security best practice/pattern on how we can support RT for PKCE based flows?
Thanks, -Srinivas
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
