Hi,
I am having a problem with OAuth2. When the token expires Zapier requests a refresh using the refesh_token call to do that with the refresh token but does not send clientId or Client Secret.
So our server (Kahootz) is rejecting the request.
I read through the RFC6749 https://www.ietf.org/rfc/rfc6749.txt and see that in section 6 it says:
“The authorization server MUST:
o require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements),
o authenticate the client if client authentication is included and ensure that the refresh token was issued to the authenticated client, and
o validate the refresh token.”
Since I set up the Auth using a client secret I think that this means the client secret and clientId should also get passed in the refresh_token request.
I also found the following page
https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/
which says:
“Client Authentication (required if the client was issued a secret)
Typically, refresh tokens are only used with confidential clients. However, since it is possible to use the authorization code flow without a client secret, the refresh grant may also be used by clients that don’t have a secret. If the client was issued a secret, then the client must authenticate this request. Typically the service will allow either additional request parameters client_id and client_secret, or accept the client ID and secret in the HTTP Basic auth header.”
Am I missing something here?
Kevin
Best answer by ikbelkirasan
View original
