Solved: Refresh access token without api secret - Page 2

Report Inappropriate Content · 02-01-2017 12:35 PM

Is is possible to refresh an access token using API key only. one of our clients don't want to send the API secret as part of the refresh token call? Is it possible?

http://docs.apigee.com/api-services/content/access-tokens#refreshinganaccesstoken says need both API key and secret

DChiesa

Good question!

Yes, it is possible. But doing so would be counter to the OAuth 2.0 specification. You can find the relevant requirements in Section 6 of IETF RFC 6749. It states:

   If the client type is confidential or
   the client was issued client credentials (or assigned other
   authentication requirements), the client MUST authenticate with the
   authorization server as described in Section 3.2.1.

Section 3.2.1 specifies that the client should send its id and secret (its credentials) encoded in an HTTP Basic Authentication header.

So I think it would be a Bad Idea to allow refresh without the client credentials.

There is a way to do what you want - basically you have the client pass in the client_id, then lookup the App via AccessEntity, extract the secret, then assign a contrived Basic Authentication header using the extracted secret, before using the policy OAuthV2/RefreshAccessToken.

But you probably shouldn't do that.

Can you explain the justification for the client asking for a refresh without passing the client secret?

View solution in original post