We’re trying to use KeyCloak as an Authorization Server in support of http://www.hl7.org/fhir/smart-app-launch/ which is an OAuth / OpenID Connect profile being used in healthcare.
This specification has a conformance test suite (https://inferno.healthit.gov) and we’re failing one of the conformance tests because, for an already-registered “public” client, it is passing only grant_type and refresh_token in the refresh step, and not client_id.
With our current configuration this returns an error like
"error_description": "INVALID_CREDENTIALS: Invalid client credentials"
However, when I pass the client_id, then it seems to work as expected.
Is there a way to configure/support the refresh token without being passed a client_id?
I did some more RFC reading, but it didn’t add much clarity.
OpenID Connect says this:
A request to the Token Endpoint can also use a Refresh Token by using the grant_type value refresh_token, as described in Section 6 of OAuth 2.0 [RFC6749]. This section defines the behaviors for OpenID Connect Authorization Servers when Refresh Tokens are used.
That section says:
If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in Section 3.2.1
And finally, this section says
A client MAY use the “client_id” request parameter to identify itself
when sending requests to the token endpoint.
Does the use of MAY here imply that its not required?
I also found that there is a pending errata for this sentence, but it merely clarifies that this line is intended for public clients (and not confidential ones).
So, after reading all this, I’m thinking that the conformance test should be allowed to omit client_id (as it is) and I’m wondering if maybe this is just a limitation with the keycloak OAuth implementation. Should I open it as an issue?
Although client_id requirement for public client is not explicitly specified in oauth 2.0 spec, the Openid Connect spec seem indicates client_id is required to refresh a token regardless of confidential or public clients. See https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken. It states “the Client MUST authenticate to the Token Endpoint using the authentication method registered for its client_id”, which implies client_id is required.