Removing refresh_token in client_credentials flow
If you are using the grant_type: client_credentials
to fetch access token and you are currently using the refresh_token
from that response to fetch further access tokens, this is a breaking change.
In order to improve regular security measures we want to follow OAuth RFC recommendations. This includes not responding with a refresh_token
in the Client Credentials Grant flow (see https://www.rfc-editor.org/rfc/rfc6749#section-4.4.3).
What do I need to do?
If you only use the refresh token as intended (e.g. through redirect grant or device grant flow), there is nothing you need to do.
If you use the refresh_token
from the Client Credentials Grant, you will need to re-fetch an access token by performing another Client Credentials Grant instead of using a refresh_token
.
What's next?
- On TBA (paused) we will drop the
refresh_token
from theclient_credentials
responses.