Menu
▾
▴
Re: [Unity-idm-discuss] refresh token for public clients with offline_access scope
|
From: Krzysztof B. <kb...@un...> - 2025-07-02 10:09:55
|
Hi Sander, W dniu 2.07.2025 o 07:56, Sander Apweiler pisze: > Hi Krzysztof, > hi Roman, > > I have a short question about the refresh token for public clients > using PKCE. Shall they get a refresh token, if they send the offline > access scope but no openid scope? In manual I found the refresh token > rotation for public clients, but no further information. > > We configured unity to create refresh tokens only on offline access > request. Well, this is not a legitimate request: offline_access scope is defined in OIDC, so a non-OIDC client using it may fail and we are not supporting such setup. That said, I think it should work: such client should get an one time use refresh token. HTH, Krzysztof |
