OAuth Client Credential Flow - Refresh Tokens

The issuance of a refresh token with the client credential grant has no benefit. That is why the RFC6749 section 4.4.3 indicates A refresh token SHOULD NOT be included. Thus its issuance is at the discretion of the authorization server.

From my point of view an authorization server should never issue a refresh token with the client credentials grant as the access token issuance process will take an additional and unnecessary step:

Issuance with the client_credentials grant type:

• Step one: client authentication (client secret, assertion...)
• OK access token is issued

Issuance with the refresh_token grant type:

• Step one: client authentication (client secret, assertion...)
• Step two: refresh token verification (expiration time, associated client...)
• OK access token is issued