Hi, You could perhaps use private_key_jwt from the OpenID specs: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
Yours, Emelia > On 3 Mar 2025, at 20:06, Srinivas Challa > <[email protected]> wrote: > > Hi, > I am from Workday working on the OAuth feature. We currently support PKCE > based OAuth flow, but we currently do not support returning refresh token > since client authentication is not possible without client_secret to exchange > RT for AT for offline access. I do see pattern of using device_secret as part > of OpenId Native SSO specification > <https://openid.net/specs/openid-connect-native-sso-1_0-04.html> but not sure > if this is the right pattern. Is there a recommendation on the security best > practice/pattern on how we can support RT for PKCE based flows? > > Thanks, > -Srinivas > _______________________________________________ > OAuth mailing list -- [email protected] <mailto:[email protected]> > To unsubscribe send an email to [email protected] > <mailto:[email protected]>
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
