Power By 专否社区

Client Credential Grant fails on AuthorizeRequest due to lack of Refresh Token

Go To StackoverFlow.com

1

A client credential grant does not return a refresh token (DotNetOpenAuth.OAuth2.AuthorizationServer.PrepareAccessTokenRequest forbids it). But ClientBase.AuthorizeRequest requires it. Is this a bug in DotNetOpenAuth or am I doing something wrong?

I suppose I can work around by inheriting ClientBase and overriding AuthorizeRequest. Is that the correct thing to do?

Edit: It's not so easy to inherit from ClientBase outside of DotNetOpenAuth because a lot of the stuff you want is internal only. e.g. ErrorUtilities.VerifyProtocol

Edit2: Just read the draft OAuth 2 spec (draft 25) referred to in DotNetOpenAuth.OAuth2.AuthorizationServer.PrepareAccessTokenRequest and I can't find where it disallows refresh tokens for Client credential grant type. Maybe they changed it?

2012-04-05 14:47
by Ian1971

2

I'm not sure why you say that ClientBase.AuthorizeRequest requires it. Firstly, there is an overload that only takes an access token, so it doesn't even ask for a refresh token. The overload you may have tried accepts an IAuthorizationState object, which may or may not include a refresh token, and it appears that that method only looks for a refresh token if the access token has expired. Since an expired access token can't be used, it tries to refresh it and throws if it can't. It seems reasonable to me.

Whichever method overload you choose to call, your calling mode must either avoid using expired access tokens or be prepared to respond to the exceptions that are thrown when DotNetOpenAuth or the resource server determines that they are expired or revoked. In fact since tokens can be revoked before they expire, it's a good idea to always be prepared for that.

The OAuth 2 spec draft 25 does in fact indicate that a refresh token should not be included in a response to the client credentials grant. From section 4.4.3:

4.4.3. Access Token Response

If the access token request is valid and authorized, the authorization server issues an access token as described in Section 5.1. A refresh token SHOULD NOT be included. If the request failed client authentication or is invalid, the authorization server returns an error response as described in Section 5.2.

2012-04-07 05:35
by Andrew Arnott
You are right (of course), I must be going blind (or stupid, or both). Thanks for your help and all your hard work on the libary - Ian1971 2012-04-10 09:57

3

Google returns Refresh Token if you request it. Provide parameter in query string access_type=offline.

In my case I had to amend default Authorization Endpoint URL to: https://accounts.google.com/o/oauth2/auth?access_type=offline

Google Api C# example using DotNetOpenAuth:

    private WebServerClient GetClient()
    {
        return new WebServerClient(
            new AuthorizationServerDescription
            {
                AuthorizationEndpoint = new Uri("https://accounts.google.com/o/oauth2/auth?access_type=offline"),
                TokenEndpoint = new Uri("https://accounts.google.com/o/oauth2/token"),
                ProtocolVersion = ProtocolVersion.V20,
            },
            clientIdentifier: this.settings.GoogleApisClientIdentifier,
            clientSecret: this.settings.GoogleApisClientSecret
            );
    }

NOTE from my experience: This works only for the First request.

See Google Documentation.

2012-04-25 11:36
by Paulius Zaliaduonis
Ads