Suppress refresh token for oauth2 client credentials grant

[David Albrecht]

Hi all,

according to https://tools.ietf.org/html/rfc6749#section-4.4.3 refresh tokens SHOULD NOT be issued for client credentials grant.

With CAS we have oauth2 services which are registered for multiple grant types. In our case client credentials, refresh token and authorization code. But we only want to allow refresh tokens for authorization code and NOT for client credentials.

Is there a configuration option to restrict refresh tokens to certain grant types? Because I couldn't find one  we extended OAuth20DefaultTokenGenerator:

@Override

protected Pair<OAuth20AccessToken, OAuth20RefreshToken> generateAccessTokenOAuthGrantTypes(AccessTokenRequestDataHolder holder) {

Pair<OAuth20AccessToken, OAuth20RefreshToken> accessTokens = super.generateAccessTokenOAuthGrantTypes(holder);

if (OAuth20GrantTypes.CLIENT_CREDENTIALS.equals(holder.getGrantType())) {

LOGGER.debug("Suppressing refresh token for client credentials grant. According to https://tools.ietf.org/html/rfc6749#section-4.4.3");

return Pair.of(accessTokens.getLeft(), null);

}

return accessTokens;

}

Does it make sense to introduce some configuration option for this? If so I would try to create a PR for this change.