Keycloak - client credentials grant violation of OAuth2 standard (RFC6749)?

ping · June 26, 2020, 7:40am

Hi,

For the client credentials grant, Keycloak (at least 9.0.x) do issue a ‘refresh token’ which violate the RFC

which state that “A refresh token SHOULD NOT be included.”
(https://tools.ietf.org/html/rfc6749#page-4.4.3)

Is it possible to configure keycloak to do not issue ‘refresh token’ for client credentials grant for standard conformance?

thanks.

Topic		Replies	Views
[invalid_grant] Session doesn't have required client Configuring the server authentication , oidc	0	177	February 29, 2024
Disable Refresh Token for Service Accounts Securing applications oidc	6	5031	May 13, 2022
Refresh Token Invalidation Securing applications	0	182	October 23, 2023
Allow a client to issue access & refresh tokens (offline tokens) Getting advice oidc	0	301	September 3, 2021
I cannot refresh a token with a public client	2	638	August 18, 2021