add refresh token to client_credentials saveToken #351
Conversation
|
@z1haze can you please run the tests and check for the failures. If this is a breaking change then we need to get deeper into this again, because we'd like to avoid breaking until 100% necessary. |
|
Hi @jankapunkt, where did you see a failure? |
|
tests fail with some errors on node 22: https://github.com/node-oauth/node-oauth2-server/actions/runs/18139166610/job/51696007624?pr=351 can you replicate this when running the tests locally? |
|
@z1haze is this still relevant to you? |
|
Yeah, but I just patched it on my end. I dont have the time right now to through it here. Besides, I think i took a different route based on what your rules are. The fact that they are failing is because I'm returning a refresh token for ones issued with client _credentials, because our SAAS oauth provider works this way. I can see from your unit tests that you expect this not to be the case. I dont want to argue what's right or wrong. if you're curious here's the login service im using and refresh_token is returned, even for client_credentials grants. https://developer.salesforce.com/docs/commerce/commerce-api/references/shopper-login?meta=getAccessToken |
2 participants
Summary
TLDR: fixes #350
For some reason, the library doesn't include the refresh token when saving the access token during client_credentials flows, but it does for the authorization_code flow. In the event that you need to generate tokens for anonymous users (guests), the client credentials grant is necessary, and the refresh token should be provided.
Linked issue(s)
#350
Involved parts of the project
client_credentials grant flow
Added tests?
No tests
OAuth2 standard
https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.17 (page 44)
https://www.oauth.com/oauth2-servers/access-tokens/access-token-response/ (refresh token section)
Reproduction
Issue a token using client_credentials grant and see the refresh token now exists as it does for the authorization_code grant