fix(client-oauth2): 👻 ensure client_credentials flow follows RFC 6749 #16341
Conversation
- Update client credentials flow to comply with RFC 6749 section 4.4.3 - Remove refresh token from client credentials flow as per spec - Maintain backward compatibility with existing implementations Ref: https://community.n8n.io/t/oauth2-client-credentials-not-refreshing-expired-tokens/127129/6
|
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
cubic reviewed 4 files and found no issues. Review PR in cubic.dev.
|
Hey @yonathan9669, Thanks for the PR, We have created "GHC-2537" as the internal reference to get this reviewed. One of us will be in touch if there are any changes needed, in most cases this is normally within a couple of weeks but it depends on the current workload of the team. |
n8n-assistant
bot
added
the
in linear
|
Hey @Joffcom, thanks for your quick reply. Awesome, I hope this small fix can help others facing similar issues with OAuth2 client credentials. 🤝 I'll be available to improve anything if it's required. There might be opportunities for further improvements, but I wanted to start with the most straightforward fix for the immediate issue. Thanks a lot in advance for accepting my contribution to this amazing community 🙏🏻 |
Summary
This PR ensures that the OAuth2 client credentials flow strictly follows RFC 6749 specifications, particularly section 4.4.3, which states that no refresh token should be included in the response.
Changes Made
Testing
Related Issues
Additional Context
According to RFC 6749 Section 4.4.3, the client credentials flow should not return a refresh token. This change ensures compliance with the specification while maintaining backward compatibility with existing code.
Note: I have touched the minimum amount of code to solve the issue and preserve current behavior. I assume a better solution could be set in place but this would cover both scenarios for now.
Review Checklist