For a project I’m currently working on we have decided to use Hydra for handling the OAuth mechanism of our API.
Our main application is developed using React.JS and is a Single Page App (SPA). As we want our user to be “permanently” logged in, we have decided to use an authorization code grant flow with PKCE since we can’t provide a client secret as the source code is easily readable.
The whole authorization code grant flow works very well and we can get our
refresh_token without any problem.
My issue is how to resfresh this
access_token. At each time I try to use the
/oauth/token endpoint I get an error about not providing the client_id and the client_secret in authorization basic form, even if my clients contain:
A strange point is that there is never any mention of refresh token in the RFC 7636, is it possible to refresh a token without providing a secret ?
Sorry if it’s a silly question but I wasn’t able to find an answer on the many sites I’ve checked
Thanks in advance for your answers