Is redirect_uri optional when refreshing a OAuth 2.0 Access Token?


#1

Take a look at the parameter list for the refresh access token call:

It clearly states refreshing a token has no optional params, and lists

  • grant_type
  • client_id
  • client_secret
  • redirect_uri <---- can be omitted and with successful result
  • refresh_token

as required. But even so, omitting the redirect_uri body param, or just sending it with no value still successfully refreshes the token!
From a logical perspective this makes sense to me, why would i need the redirect_uri param after the first token has been successfully acquired, but I would like to know if this is a documentation error or if it indeed is an optional parameter?


#3

Hi @kwonderschool, good eye! The redirect_uri is not necessary in this step as per the OAuth2.0 specs so you don't need to include it for refreshing tokens. Your logic is sound here. We're refreshing the docs to exclude this parameter as we speak. Thank you for the heads up! :slight_smile: