Disable Refresh Token for Service Accounts

We’d like to disable the inclusion of the refresh token in the authentication response when using the client_credentials grant type for a service account. If I understand correctly there is a bit of conflict between the OAUTH2 spec (see https://tools.ietf.org/html/rfc6749#section-4.4.3, the refresh token should not be included in the response for a client_credentials grant type) and the OIDC offline access spec (see https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess, it lists the refresh token should be returned but only when using offline_access scope).

Is there a way to disable offline access / refresh tokens for a service account?

2 Likes

looking at the same issue as well
in my case i am using a public client with SPA application
and I have disabled offline access grant as well …
and refresh token still returning from the auth code grant

Same Problem here.I also deisbaled offlice_access in the client and the generated service account. But the refresh token is still in the response.

From my research, I found many other similar enquires and my conclusion is that I don’t think it is possible to disable the refresh token. I say “I think” because nobody with the authority has never showed up and confirmed.

At same time, I think this can be a significant security risk depending on the architecture in place.

UP.
We faced this issue also on our side.
As stated by justin.spies, the RFC clearly states that “the refresh token should not be included in the response for a client_credentials grant type”.
Can someone from RedHat team explain why is currently included?

Thanks a lot!

Hi,

This seems to be a bit of misunderstanding here.

The offline access scope give you a refresh token without any expiration date.
The refresh token you got without this scope will have an expiration and can be configured on the admin console.