Refresh Token & Access token in Python Application where we are picking initial refresh token from UI

Subhash · July 1, 2022, 2:52pm

I Knew we can hit below endpoint for getting refresh_token & access token(s), But problem is that, I want to hit it without client secret, Any other way to authorize the same endpoint apart from the combination(Base64(clinet_id+client_secret)) ?

POST /oauth2/default/v1/token HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Basic MG9hMTJncG5qZnpvdllTbk41ZDc6UG9zWGpjNmw0WHF5ZDBhek03cjF0SnhyMS1LWHdWYmNFaDk0Q0FDNA==

grant_type: refresh_token
redirect_uri: http://localhost:8080
scope: offline_access openid profile
refresh_token: 03_hBtVj-Hk0Mxo9TPSdl7TLkxQioKqQEzud3ldqHqs

andrea · July 8, 2022, 9:47pm

Sounds like you have a Web app with Client Secret auth, in which case, no, you must provide the proper Client Credentials to use the /token endpoint. If you need to hit this endpoing without a Client Secret, you will want to make a SPA with PKCE auth (no Client Secret), and then you only need the client_id to receive/refresh the tokens.

system · February 12, 2024, 9:18pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.