Difference Between Public And Confidential Applications

Jonathan White

I need to create a confidential application so that I can maintain authorisation with refresh tokens.

I'm following the the Confidential Application Auth Flow and the associated tutorial. The only significant difference I see between the confidential app auth flow and the public app auth flow is that the Client Secret is included in the base64 encoded Authorization header, which I've ensured my application includes in its requests to the token endpoint. Despite that, I never get a refresh token back.

Is there a setting on the application configuration that marks an app as confidential? Or is there some other difference in the auth flows that I'm missing?

Jonathan White

I've finally managed to get a refresh token back.

It wasn't clear in the Authorization code flow for confidential applications tutorial that you need to pass the client ID and client secret in the POST request body to the token endpoint.

It does say to include the client ID and secret in the Authorization header after concatenating and base64 encoding the two and it specifically says this header is required UNLESS you include the id and secret in the request.
However, I only get a refresh token back if I include them in the request body.

I think the documentation could do with some clarification on that point.

Daniel Leonard

@Jonathan White Sorry you are having authorization issues. I just verified that you can pass the client ID and secret in either the authorization header or the request body, as documented. It's possible there was an issue encoding the client ID and secret in the authorization header.