Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
It is possible to invoke refresh_token flow with access_token (instead of refresh_token) #829
Reported in support ticket: https://support.gluu.org/authentication/5635/invoke-refresh_token-grant-type-with-an-access-token/
Currently it is possible to invoke the refresh_token grant type with an access_token. We used password grant_type to obain an access_token and a refresh_token. Afterwards we don NOT use the refresh_token but the access_token to invoke the refresh_token grant type.
Is this behaviour intended and if so where can we probably deactivate it?