subject:"\[OAUTH\-WG\] Re\: Regarding issuing refresh tokens for PKCE based OAuth grant flow"

[OAUTH-WG] Re: Regarding issuing refresh tokens for PKCE based OAuth grant flow

2025-03-04 Thread Michael Schwartz

Srinivas, I think what you're getting at is that you don't want to issue a refresh token to an unauthenticated client, for example a browser client where you can't protect the secret. As Aaron alluded, PKCE is like a state param--it's never a bad idea. Have you considered using DCR for the browse

[OAUTH-WG] Re: Regarding issuing refresh tokens for PKCE based OAuth grant flow

2025-03-04 Thread Aaron Parecki

*Cc: *Aaron Parecki , oauth@ietf.org > *Subject: *Re: [OAUTH-WG] Re: Regarding issuing refresh tokens for PKCE > based OAuth grant flow > > Hi Srinivas, Using PKCE enhances security for public clients when > acquiring tokens via authorization code grants. Regarding your quest

[OAUTH-WG] Re: Regarding issuing refresh tokens for PKCE based OAuth grant flow

2025-03-04 Thread Srinivas Challa

established trust) and adoptions will not be an issue if enforced/required. Thanks, -Srinivas From: Thumilan Date: Tuesday, March 4, 2025 at 8:48 AM To: Srinivas Challa Cc: Aaron Parecki , oauth@ietf.org Subject: Re: [OAUTH-WG] Re: Regarding issuing refresh tokens for PKCE based OAuth grant flow

[OAUTH-WG] Re: Regarding issuing refresh tokens for PKCE based OAuth grant flow

2025-03-04 Thread Thumilan

Hi Srinivas, Using PKCE enhances security for public clients when acquiring tokens via authorization code grants. Regarding your question about using a refresh token (RT) to obtain an access token (AT), I believe you're asking about securing the token endpoint for public clients. To address this,

[OAUTH-WG] Re: Regarding issuing refresh tokens for PKCE based OAuth grant flow

2025-03-04 Thread Srinivas Challa

Hi, Thanks for the responses. I agree on the recommendation that all clients should use PKCE. Let me clarify the question is about public clients that cannot have a client_secret getting refresh tokens without providing client credentials. Based on the response, looks like as long as we use one

[OAUTH-WG] Re: Regarding issuing refresh tokens for PKCE based OAuth grant flow

2025-03-04 Thread Aaron Parecki

Hi Srinivas, There is no connection between PKCE and refresh tokens. All OAuth clients should be using PKCE. https://www.rfc-editor.org/rfc/rfc9700.html#section-2.1.1 If a client doesn't have client credentials, it can still use refresh tokens, but it is recommended that the AS issue one-time us

[OAUTH-WG] Re: Regarding issuing refresh tokens for PKCE based OAuth grant flow

2025-03-04 Thread emelia

Hi, You could perhaps use private_key_jwt from the OpenID specs: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication Yours, Emelia > On 3 Mar 2025, at 20:06, Srinivas Challa > wrote: > > Hi, > I am from Workday working on the OAuth feature. We currently support PKCE >

[OAUTH-WG] Re: Regarding issuing refresh tokens for PKCE based OAuth grant flow

[OAUTH-WG] Re: Regarding issuing refresh tokens for PKCE based OAuth grant flow

[OAUTH-WG] Re: Regarding issuing refresh tokens for PKCE based OAuth grant flow

[OAUTH-WG] Re: Regarding issuing refresh tokens for PKCE based OAuth grant flow

[OAUTH-WG] Re: Regarding issuing refresh tokens for PKCE based OAuth grant flow

[OAUTH-WG] Re: Regarding issuing refresh tokens for PKCE based OAuth grant flow

[OAUTH-WG] Re: Regarding issuing refresh tokens for PKCE based OAuth grant flow

7 matches

Site Navigation

Mail list logo

Footer information