Hi all,
according to https://tools.ietf.org/html/rfc6749#section-4.4.3 refresh
tokens SHOULD NOT be issued for client credentials grant.
With CAS we have oauth2 services which are registered for multiple grant
types. In our case client credentials, refresh token and authorization
code. But we only want to allow refresh tokens for authorization code and
NOT for client credentials.
Is there a configuration option to restrict refresh tokens to certain grant
types? Because I couldn't find one we extended
OAuth20DefaultTokenGenerator:
*@Override*
* protected Pair<OAuth20AccessToken, OAuth20RefreshToken>
generateAccessTokenOAuthGrantTypes(AccessTokenRequestDataHolder holder) {*
* Pair<OAuth20AccessToken, OAuth20RefreshToken> accessTokens =
super.generateAccessTokenOAuthGrantTypes(holder);*
* if (OAuth20GrantTypes.CLIENT_CREDENTIALS.equals(holder.getGrantType())) {*
* LOGGER.debug("Suppressing refresh token for client credentials grant.
According to https://tools.ietf.org/html/rfc6749#section-4.4.3";);*
* return Pair.of(accessTokens.getLeft(), null);*
* }*
* return accessTokens;*
* }*
Does it make sense to introduce some configuration option for this? If so I
would try to create a PR for this change.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a6cf4f67-b59b-493a-a798-6b0b18bfdab1n%40apereo.org.
