We’d like to disable the inclusion of the refresh token in the authentication response when using the client_credentials grant type for a service account. If I understand correctly there is a bit of conflict between the OAUTH2 spec (see https://tools.ietf.org/html/rfc6749#section-4.4.3, the refresh token should not be included in the response for a client_credentials grant type) and the OIDC offline access spec (see https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess, it lists the refresh token should be returned but only when using offline_access scope).
Is there a way to disable offline access / refresh tokens for a service account?
looking at the same issue as well
in my case i am using a public client with SPA application
and I have disabled offline access grant as well …
and refresh token still returning from the auth code grant
From my research, I found many other similar enquires and my conclusion is that I don’t think it is possible to disable the refresh token. I say “I think” because nobody with the authority has never showed up and confirmed.
At same time, I think this can be a significant security risk depending on the architecture in place.
UP.
We faced this issue also on our side.
As stated by justin.spies, the RFC clearly states that “the refresh token should not be included in the response for a client_credentials grant type”.
Can someone from RedHat team explain why is currently included?
The offline access scope give you a refresh token without any expiration date.
The refresh token you got without this scope will have an expiration and can be configured on the admin console.
This clearly diverts from keycloaks client credential grant flow documented here. Either update the document or need to fix the issue by removing refresh token.