OAuth Client Credential Flow - Refresh Tokens
The issuance of a refresh token with the client credential grant has no benefit.
That is why the RFC6749 section 4.4.3 indicates A refresh token SHOULD NOT be included
. Thus its issuance is at the discretion of the authorization server.
From my point of view an authorization server should never issue a refresh token with the client credentials grant as the access token issuance process will take an additional and unnecessary step:
Issuance with the client_credentials grant type:
- Step one: client authentication (client secret, assertion...)
- OK access token is issued
Issuance with the refresh_token grant type:
- Step one: client authentication (client secret, assertion...)
- Step two: refresh token verification (expiration time, associated client...)
- OK access token is issued