We have a mobile app which operates as an OAuth 2.0 public client (w/client credentials). It uses the resource owner password credentials grant type for authorized communication with our resource servers.
We are working on a software update and want to change the registered client_id and client_secret for the new app version (register a new client at the auth server). The problem is that after the app updates on users' devices, it will inherit the app data of the previous version, including the access and refresh tokens. Since the token scope issued to the new client might be different, we know that we want the new app version to discard the previous version's access tokens. But what about the refresh token? Technically, the new version of the app will be a different client, but the core OAuth spec section 6 says "the refresh token is bound to the client to which it was issued." So what should we do? We can program the app to discard the previous version's refresh token, but that would inconvenience our users to re-enter their password after the software update. I'm tempted to allow the new client to use the refresh token issued to the previous client, but that violates the spec. Does the OAuth community have any insight here? Thank you. Kind Regards, Andre DeMarre _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
