Pre-authz mode does not appear to allow credential refresh

Because the pre-authz flow does not identify and authenticate the client according to the current protocol specification, then ?our?many? OAuth servers do not return a refresh token to the client (only an access token). This makes it difficult to use this mode of issuing with credentials such as mDL that are relatively short lived and not revocable. It means the user would frequently need to return to the issuer and start the whole issuing process again as the access token is short lived.

Is the lack of refresh token an implementation bug or is it correct behaviour implied by the OAuth2 spec?

Comments (2)