OAuth refreshUrl property

[pleothaud]

Hi,

Is there any reason why the non-standard refreshUrl property was added to OAI?

Obtaining a new Access Token using the Refresh Token should be done using the TokenEndpoint, as stated in RFC 6749 (OAuth 2.0 Authorization framework):

"3.2. Token Endpoint
The token endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh token. The token endpoint is used with every authorization grant except for the implicit grant type (since an access token is issued directly)."

Thanks,

Philippe

[LasneF]

I would agree with @pleothaud
here being the link https://www.rfc-editor.org/rfc/rfc6749#section-3.2

this may deserve to set this field as deprecated in 3.2 version , and to remove it for OAS 4.0

notice than

• OIDC discovery endpoint for instance only declare the the token endpoint
• few providers like Microsoft power app allows to differentiate it , but to me this should goes to customization as not main stream / not standard to use different endpoint