Message Boards

  1. Home
  2. Development
  3. Headless Delivery Refresh Token with PKCE Flow

Headless Delivery Refresh Token with PKCE Flow

Stephen Greco, modified 3 Years ago.

Headless Delivery Refresh Token with PKCE Flow

New Member Posts: 7 Join Date: 1/22/21 Recent Posts

I am struggling to obtain refresh tokens wihen using the headess-delivery with the PKCE OAuth 2.0 Flow.  There doesnt seem to be any documentation on how to obtain a new token using the refresh token.  The PKCE flow is wokring fine for obtaining the original token but when I request a new token using the refresh_token, it is returning an error 'unauthorized client'.  I am simply looking for some sort of example or documentation on how to do this.

oauth2 delivery api
thumbnail
Javier Gamarra, modified 3 Years ago.

RE: Headless Delivery Refresh Token with PKCE Flow

Expert Posts: 348 Join Date: 2/12/15 Recent Posts

Hi! 

I'm not an expert on OAuth (maybe the security team can chime in on this)...

Can you paste the request you are trying? I've tried to refresh a token (but with another flow) with a request like this and I get a new valid access token:


curl -X "POST" "http://localhost:8080/o/oauth2/token" \
     -H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
     --data-urlencode "client_id=id-64eaf18c-49bb-6c9c-7b9a-84f17f65d21" \
     --data-urlencode "client_secret=secret-98fecb7d-3421-78e4-bca5-955b08f7f58" \
     --data-urlencode "grant_type=refresh_token" \
     --data-urlencode "redirect_uri=http://localhost:8080/" \
     --data-urlencode "refresh_token=2f485f80a58f3bb3e964ddbbe3da71561d1f459a75a1ec58365bd39a3762c9d"
 

Stephen Greco, modified 3 Years ago.

RE: RE: Headless Delivery Refresh Token with PKCE Flow

New Member Posts: 7 Join Date: 1/22/21 Recent Posts

Thats for the response Javier.  This request does work for me when using the standard Authorization Code flow, but when using the Authorization with PKCE, there is no client_secret, so this request will not work. 

I did base my other attempts off of this and tried many different combinations, and I keep getting the unauthorized_client error but no other details.  Instead of the client_secret the PKCE flow utiliizes the code verifier and code challenge to obtain the first token, I have tried to send those appropriate values as well with no success.

thumbnail
Tomáš Polešovský, modified 3 Years ago.

RE: Headless Delivery Refresh Token with PKCE Flow

Liferay Master Posts: 676 Join Date: 2/13/09 Recent Posts

but when using the Authorization with PKCE, there is no client_secret, so this request will not work. 

It works for me.

curl 'http://localhost:8080/o/oauth2/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'client_id=my-pkce-client' \
  --data 'grant_type=refresh_token' \
  --data 'refresh_token=bfc9878164882767b19a9fa29b13ecc6f1c9c124a68d426158ec4bb3e7d' \
  --compressed