Is it possible to refresh token without Client Secret? #3618

baominwang · 2023-08-25T03:19:10Z

baominwang
Aug 25, 2023

As we know, Mobile APP/SPA can use "Authorization Code Flow with PKCE" to get Access Token and Refresh Token. But how does Mobile APP/SPA to refresh the token without client secret?

Answered by vinckr

Sep 29, 2023

Hello @baominwang
See our blogpost OAuth2 with PKCE for Mobile Apps and Single Page Apps for some details how it works.

Mobile apps and Single Page Applications (SPAs) can refresh their tokens using the OAuth2 refresh token grant. The refresh token is a special token that can be used to obtain a new access token or ID token without the user's involvement. The refresh token is issued to the client during the initial token issuance and can be used to obtain a new token when the current token expires.
Here's an example of how to refresh an access token with Ory:


// Set up the endpoint and refresh token  
const endpoint = "https://oauth2.example.com/token"  
const refreshToken = "<refresh to…

View full answer

vinckr · 2023-09-29T08:21:53Z

vinckr
Sep 29, 2023
Maintainer

Hello @baominwang
See our blogpost OAuth2 with PKCE for Mobile Apps and Single Page Apps for some details how it works.

Mobile apps and Single Page Applications (SPAs) can refresh their tokens using the OAuth2 refresh token grant. The refresh token is a special token that can be used to obtain a new access token or ID token without the user's involvement. The refresh token is issued to the client during the initial token issuance and can be used to obtain a new token when the current token expires.
Here's an example of how to refresh an access token with Ory:


// Set up the endpoint and refresh token  
const endpoint = "https://oauth2.example.com/token"  
const refreshToken = "<refresh token>"  
const clientId = "<client id>"  
  
const params = new URLSearchParams({  
 grant_type: "refresh_token",  
 refresh_token: refreshToken,  
 scope: "scope1 scope2",  
 client_id: clientId,  
})  
// Send a POST request to refresh the access token  
fetch(endpoint, {  
 method: "POST",  
 headers: {  
 "Content-Type": "application/x-www-form-urlencoded",  
 },  
 body: params.toString(),  
})  
 .then((response) => {  
 if (!response.ok) {  
 throw new Error("Failed to refresh access token")  
 }  
 return response.json()  
 })  
 .then((data) => {  
 console.log("New access token:", data.access_token)  
 console.log("New ID token:", data.id_token)  
 console.log("New refresh token:", data.refresh_token)  
 })  
 .catch((error) => {  
 console.error(error)  
 })

In this example, the client secret is not required to refresh the token. The client only needs the refresh token and the client ID. The client sends a POST request to the token endpoint with the refresh token and the client ID. If the refresh token is valid, the server responds with a new access token.
For more information, see the OAuth2 refresh token grant documentation.

Let me know if something remains unclear.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Is it possible to refresh token without Client Secret? #3618

{{title}}

Replies: 1 comment

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Is it possible to refresh token without Client Secret? #3618

baominwang Aug 25, 2023

Replies: 1 comment

vinckr Sep 29, 2023 Maintainer

baominwang
Aug 25, 2023

vinckr
Sep 29, 2023
Maintainer