Hi Albin, It’s important to note that PKCE does explicitly prohibit client_secret, just offers a secure way of obtaining an access token when it’s impossible for a client_secret to be kept secret, as would be the case with a mobile application. The type of attack it prevents against is during the authorization_code flow, where a malicious app on the device could intercept the browser redirect happening, and getting the authorization_code.
Since using a refresh token to get a new access token does not use the browser redirect flow, it’s not subject to that type of attack, so PKCE is not necessary. I’d imagine which ever Authorization Server you are using would allow you to get refresh tokens, and use them with or without client authentication (see section 2.3 of the OAuth spec). It may or may not require a client secret (even though said client secret is not guaranteed to be secret). Hope this helps (and I didn’t mess up any details :D), Ron On February 28, 2020 at 10:48:53 AM, Albin Nilsson (al...@bergson.nu) wrote: > Hello, > > I'm having some trouble with oauth and the Authorization Code flow and > PKCE. How can I get a refresh token? The refresh token flow requires a > client_secret, but PKCE prohibits client_secret. Is refresh token a no go? > > Kind regards, > Albin > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth