Missing Refresh Token for Password Grant #108
Description
Hi all,
I’ve been working on implementing authorization for a web application using the Tapis OAuth 2.0 Authentication system. I’ve followed the documentation to implement the described grants.
-
Authorization Code Grant: This grant works as expected, but it requires sending the
client_secretin the request. I would prefer not to expose this in a web application. Is there a recommended way to avoid using theclient_secretin such scenarios? -
Implicit and Password Grants: These grants do not return a refresh token. Is this the intended behavior? If not, is there a way to obtain a refresh token when using these grant types?
Thank you for your assistance!