Hi Srinivas, There is no connection between PKCE and refresh tokens.
All OAuth clients should be using PKCE. https://www.rfc-editor.org/rfc/rfc9700.html#section-2.1.1 If a client doesn't have client credentials, it can still use refresh tokens, but it is recommended that the AS issue one-time use refresh tokens. https://www.rfc-editor.org/rfc/rfc9700.html#section-2.2.2 Aaron On Tue, Mar 4, 2025 at 5:06 AM Srinivas Challa <srinivas.challa= 40workday....@dmarc.ietf.org> wrote: > Hi, > > I am from Workday working on the OAuth feature. We currently support PKCE > based OAuth flow, but we currently do not support returning refresh token > since client authentication is not possible without client_secret to > exchange RT for AT for offline access. I do see pattern of using > device_secret as part of OpenId Native SSO specification > <https://openid.net/specs/openid-connect-native-sso-1_0-04.html> but not > sure if this is the right pattern. Is there a recommendation on the > security best practice/pattern on how we can support RT for PKCE based > flows? > > > > Thanks, > > -Srinivas > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
