Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.The Client Credentials and Resource Owner grants needs to also use the refresh token when their tokens has expired
Currently only the Authorization Code grant is generating a new token using the refresh token if token has expired. This patch will also have the Client Credentials and Resource Owner grants make use of the refresh token.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | 3038230-resource-owner-and-client-credentials-use-refresh-token.patch | 2.1 KB | jagermonster |
Comments
Comment #2
jagermonster commentedComment #3
ivan.chavarro commentedI got this error when I tried to use this patch:
BadMethodCallException: Required parameter not passed: "refresh_token" in League\OAuth2\Client\Grant\AbstractGrant->checkRequiredParameter() (line 35 of /app/vendor/league/oauth2-client/src/Tool/RequiredParameterTrait.php).
I figured out my issue working with this path instead: https://www.drupal.org/project/oauth2_client/issues/3064090
Comment #4
fathershawnHi! @perelesnyk and I have stepped up as maintainers, officially for D9 compatible and forward. I've added this issue to our planning issue. The Oauth2 standard has Refresh tokens as optional in general:
https://tools.ietf.org/html/rfc6749#section-1.5
So if a refresh token is returned with the original access token, we should use it on all grant types
Comment #5
fathershawnAddressed in #3072062: Refactor Authorization Token Flow
Comment #6
fathershawn