Message Boards
Headless Delivery Refresh Token with PKCE Flow
Headless Delivery Refresh Token with PKCE Flow
New Member Posts: 7 Join Date: 1/22/21 Recent PostsI am struggling to obtain refresh tokens wihen using the headess-delivery with the PKCE OAuth 2.0 Flow. There doesnt seem to be any documentation on how to obtain a new token using the refresh token. The PKCE flow is wokring fine for obtaining the original token but when I request a new token using the refresh_token, it is returning an error 'unauthorized client'. I am simply looking for some sort of example or documentation on how to do this.
RE: Headless Delivery Refresh Token with PKCE Flow
Expert Posts: 348 Join Date: 2/12/15 Recent PostsHi!
I'm not an expert on OAuth (maybe the security team can chime in on this)...
Can you paste the request you are trying? I've tried to refresh a token (but with another flow) with a request like this and I get a new valid access token:
curl -X "POST"
"http://localhost:8080/o/oauth2/token" \
-H
'Content-Type: application/x-www-form-urlencoded; charset=utf-8'
\
--data-urlencode
"client_id=id-64eaf18c-49bb-6c9c-7b9a-84f17f65d21" \
--data-urlencode
"client_secret=secret-98fecb7d-3421-78e4-bca5-955b08f7f58"
\
--data-urlencode "grant_type=refresh_token"
\
--data-urlencode
"redirect_uri=http://localhost:8080/" \
--data-urlencode "refresh_token=2f485f80a58f3bb3e964ddbbe3da71561d1f459a75a1ec58365bd39a3762c9d"
RE: RE: Headless Delivery Refresh Token with PKCE Flow
New Member Posts: 7 Join Date: 1/22/21 Recent PostsThats for the response Javier. This request does work for me when using the standard Authorization Code flow, but when using the Authorization with PKCE, there is no client_secret, so this request will not work.
I did base my other attempts off of this and tried many different combinations, and I keep getting the unauthorized_client error but no other details. Instead of the client_secret the PKCE flow utiliizes the code verifier and code challenge to obtain the first token, I have tried to send those appropriate values as well with no success.
RE: Headless Delivery Refresh Token with PKCE Flow
Liferay Master Posts: 676 Join Date: 2/13/09 Recent Postsbut when using the Authorization with PKCE, there is no client_secret, so this request will not work.
It works for me.
curl 'http://localhost:8080/o/oauth2/token' \
-H
'Content-Type: application/x-www-form-urlencoded' \
--data
'client_id=my-pkce-client' \
--data
'grant_type=refresh_token' \
--data
'refresh_token=bfc9878164882767b19a9fa29b13ecc6f1c9c124a68d426158ec4bb3e7d'
\
--compressed