Menu
▾
▴
Re: [Unity-idm-discuss] refresh token in PKCE flow
|
From: Krzysztof B. <kb...@un...> - 2022-07-07 07:59:04
|
Hi Sander, W dniu 07.07.2022 o 07:46, Sander Apweiler pisze: > Good morning Krzysztof, > Good morning Roman, > > one of our connected services is a single page application using OIDC > with PKCE. They asked for a possibility to fetch new tokens using the > refresh token, without authenticating the client. Reading the > documentation, this is not possible. > > What is your opinion to this? Do you see another solution to their > problem getting new tokens without sendign client credentials? So yes, as of now for public clients Unity blocks the refresh token flow. Enabling that is not a big deal, but essentially means that we would have to lift bunch of very important security protections. When it comes to PKCE+refresh tokens use, the industry standard is to use one additional feature, which is called "refresh token rotation". This one is not that super easy to implement - not super hard either, but a noticeable amount of work. Surely we can put it on our roadmap if you have a decent use case. Best, Krzysztof |
