I have created a application for Machine-Machine authentication using Client credentials flow, but when i request an access token using the ClientId and Clientsecret am not able to get the ‘Refresh token’ along with the access token ?
Found that the document states that ‘Refresh token’ is not supported in Client credentials flow, so is it necessary to generate new access token every 1 hour (1 day) ?
OR am i missing anything regarding ‘Refresh token’ ?
Yes you will have to retrieve a new token after it expires. This is to prevent access if the credentials you machine is using becomes invalid. If you need a refresh token, I recommend implementing the authorisation code flow instead.
Thanks for your reply, We had decided on Machine-Machine based communication because we are exposing Rest API (resource server) which is consumed by the client appplication ( need not be user specific).
Now, if we are providing authorization code flow, then we might need to create a user in Okta with privileges and share it to the client application. so do you have any recommendation on the role that need to be assigned to the user, so that he doesn’t have any other access apart from consuming the Rest api from our application.
If you will use the account only to generate JWTs to access the application, then it does not need to have any specific permissions other than the account to be active and for the userto be assigned to the OIDC application.