MediaWiki-extensions-OAuth supports non-confidential clients, which can get an access token based on only their client ID. However, those clients can’t refresh the access tokens – they get a refresh token, but trying to use it will yield an authentication error. Since the access token has the same TTL as for confidential clients (14400 seconds), non-confidential clients effectively have to repeat the authorization flow every four hours if they want to continue making requests on behalf of a user.
This is a limitation inherited from the underlying league/oauth2-server package, where you can see the difference between auth code and refresh token handlers:
// Only validate the client if it is confidential if ($client->isConfidential()) { $this->validateClient($request); }
// Validate request $client = $this->validateClient($request);
It’s tracked upstream as issue #1073, but I thought it would be useful to have a task on Phabricator too. (Note that Extension:OAuth and mediawiki/vendor.git currently use a custom “9.0.0-alpha” version of the library, so even if the library implements this feature, switching to that release version might not be trivial depending on how much it diverges from the version we currently use.)