[SOLVED] Appwrite's Discord Oauth2 expose refresh token on the client side - Threads - Appwrite

Skip to content

Is it possible to not allow the appwrite server to send the refresh token to the client side, only send the token instead?

TL;DR

Appwrite's Discord Oauth2 does not expose the refresh token on the client side. The refresh token is useless without the backend secrets and is not given out in the client credentials grant. It is not safe to send the refresh token to the client side, and modifying the code would be required to prevent the appwrite server from sending the refresh token to the client.

From which endpoint?

Also, I don't think it would be possible without modifying the code.

ah ok, I don't think it's quite safe to send the refresh token to the client right?

getSession

It's only visible to the current user.

So I'm not sure it can be a safety matter

but that means any javascript that is running on the webpage can get the refresh token

alright

Mmm. By running xhr to that endpoint?

That is an interesting way of thinking.

I think we wait and see what Steven's thinking about it.

alright

Btw for client crefentials grant discord doesn't even give out the refresh token, so... https://discord.com/developers/docs/topics/oauth2#client-credentials-grant

What about this https://discord.com/developers/docs/topics/oauth2#authorization-code-grant-refresh-token-exchange-example

It seems like that the refresh token is useless without the backend secrets

So it looks okay

ye fair enough, never thought about that lol

[SOLVED] Appwrite's Discord Oauth2 expose refresh token on the client side

Reply

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Get premium support

Join Appwrite Pro and get email support from our team.