Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Token Use (Access) and Client Cred. and Res Own #556

Open
wants to merge 1 commit into
base: 7.1.x
Choose a base branch
from

Conversation

denissignoretto
Copy link
Contributor

Client Cred. and Res Own release an access token without prompting for credentials.

The chapter "Token Use" talk about access token. In the last paragraph it's explained using the words "authorization code" but IMHO it's more appropriate the use of access token (if I'm not wrong the /token endpoint respond always with an access or refresh token).

Client Cred. and Res Own release an access token without prompting for credentials.

The chapter "Token Use" talk about access token. In the last paragraph it's explained using the words "authorization code" but IMHO it's more appropriate the use of access token (if I'm not wrong the /token endpoint respond always with an access or refresh token).
@denissignoretto
Copy link
Contributor Author

The same modification applies to 7.2 documentation

P.S. Refresh token usage should be added

@sez11a
Copy link
Member

sez11a commented Dec 9, 2019

@stian-sigvartsen can you verify? Did I get the terminology wrong?

@stian-sigvartsen
Copy link
Contributor

Hi @saz11a. Yes this amendment is correct. Thanks @denissignoretto !
I would only suggest that instead of..

In both cases users are NOT prompted for their passwords and receive an directly an access token.

.. we might consider something like ..

"In both cases the client will receive an access token immediately in the HTTP response, based on the credentials provided in the HTTP request."

@stian-sigvartsen
Copy link
Contributor

p.s. About the refresh tokens, Client Credentials grant will not provide this (as per Spec https://tools.ietf.org/html/rfc6749#section-4.4.3 ) .

The Resource Owner Password Credentials grant will however provide one.

Like @denissignoretto mentioned we should cover their usage also.
It only requires another request to the token endpoint:

https://[hostname]/o/oauth2/token?grant_type=refresh_token&client_id=[client ID]&client_secret=[client secret]&refresh_token=[refresh token]

More details here: https://tools.ietf.org/html/rfc6749#section-6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants