Hi, You could perhaps use private_key_jwt from the OpenID specs: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
Yours, Emelia > On 3 Mar 2025, at 20:06, Srinivas Challa > <srinivas.challa=40workday....@dmarc.ietf.org> wrote: > > Hi, > I am from Workday working on the OAuth feature. We currently support PKCE > based OAuth flow, but we currently do not support returning refresh token > since client authentication is not possible without client_secret to exchange > RT for AT for offline access. I do see pattern of using device_secret as part > of OpenId Native SSO specification > <https://openid.net/specs/openid-connect-native-sso-1_0-04.html> but not sure > if this is the right pattern. Is there a recommendation on the security best > practice/pattern on how we can support RT for PKCE based flows? > > Thanks, > -Srinivas > _______________________________________________ > OAuth mailing list -- oauth@ietf.org <mailto:oauth@ietf.org> > To unsubscribe send an email to oauth-le...@ietf.org > <mailto:oauth-le...@ietf.org>
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
