Meeds-io · boubaker · May 5, 2026 · May 5, 2026
diff --git a/...ervice/src/main/java/io/meeds/oauth2/server/configuration/OAuthSecurityConfiguration.java b/...ervice/src/main/java/io/meeds/oauth2/server/configuration/OAuthSecurityConfiguration.java
@@ -74,6 +74,8 @@
 import io.meeds.oauth2.server.configuration.model.OAuthDefaultSettings;
 import io.meeds.oauth2.server.plugin.OAuthAuthorizationRequestConverter;
 import io.meeds.oauth2.server.plugin.OAuthDcrHttpAuthenticationConverter;
+import io.meeds.oauth2.server.plugin.OAuthRefreshTokenPublicAuthenticationProvider;
+import io.meeds.oauth2.server.plugin.OAuthRefreshTokenPublicClientAuthenticationConverter;
 import io.meeds.oauth2.server.security.OAuthCimdAuthenticationProvider;
 import io.meeds.oauth2.server.security.OAuthDcrAuthenticationProvider;
 import io.meeds.oauth2.server.security.OAuthPortalAuthenticationProvider;
@@ -109,6 +111,8 @@ SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http,
                                                              OAuthCimdAuthenticationProvider cimdAuthenticationProvider,
                                                              OAuthDcrHttpAuthenticationConverter oAuthDcrHttpAuthenticationConverter,
                                                              OAuthAuthorizationRequestConverter oAuthAuthorizationRequestConverter,
+                                                             OAuthRefreshTokenPublicAuthenticationProvider oAuthRefreshTokenPublicAuthenticationProvider,
+                                                             OAuthRefreshTokenPublicClientAuthenticationConverter oAuthRefreshTokenPublicClientAuthenticationConverter,
                                                              SecurityContextRepository securityContextRepository,
                                                              @Qualifier("oauthAuthenticationProvider")
                                                              OAuthDcrAuthenticationProvider oauthAuthenticationProvider,
@@ -129,6 +133,10 @@ SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http,
                                                                                       oAuthAuthorizationRequestConverter))
                            .authorizationServerMetadataEndpoint(oauth -> oauth.authorizationServerMetadataCustomizer(c -> customizeMetadata(c,
                                                                                                                                             oAuthSettingService)))
+                           .clientAuthentication(oauth -> oauth.authenticationConverters(converters -> converters.add(0,
+                                                                                                                      oAuthRefreshTokenPublicClientAuthenticationConverter))
+                                                               .authenticationProviders(providers -> providers.add(0,
+                                                                                                                   oAuthRefreshTokenPublicAuthenticationProvider)))
                            .oidc(oidc -> oidc.clientRegistrationEndpoint(e -> customizeRegistrationEndpoint(e,
                                                                                                             oauthAuthenticationProvider,
                                                                                                             oAuthDcrHttpAuthenticationConverter))

diff --git a/...ain/java/io/meeds/oauth2/server/plugin/OAuthRefreshTokenPublicAuthenticationProvider.java b/...ain/java/io/meeds/oauth2/server/plugin/OAuthRefreshTokenPublicAuthenticationProvider.java
@@ -0,0 +1,69 @@
+/**
+ * This file is part of the Meeds project (https://meeds.io/).
+ *
+ * Copyright (C) 2020 - 2026 Meeds Association contact@meeds.io
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+package io.meeds.oauth2.server.plugin;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.stereotype.Component;
+
+import io.meeds.oauth2.server.service.OAuthClientService;
+
+@Component
+public class OAuthRefreshTokenPublicAuthenticationProvider implements AuthenticationProvider {
+
+  @Autowired
+  private OAuthClientService oAuthClientService;
+
+  @Override
+  public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+    if (!(authentication instanceof OAuth2ClientAuthenticationToken clientAuthentication)
+        || !ClientAuthenticationMethod.NONE.equals(clientAuthentication.getClientAuthenticationMethod())) {
+      return null;
+    } else {
+      String clientId = clientAuthentication.getPrincipal().toString();
+      RegisteredClient registeredClient = oAuthClientService.getClient(clientId);
+      if (registeredClient == null) {
+        throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_CLIENT);
+      } else if (!registeredClient.getClientAuthenticationMethods().contains(ClientAuthenticationMethod.NONE)) {
+        throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_CLIENT);
+      } else if (!registeredClient.getAuthorizationGrantTypes()
+                                  .contains(AuthorizationGrantType.REFRESH_TOKEN)) {
+        throw new OAuth2AuthenticationException(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT);
+      } else {
+        return new OAuth2ClientAuthenticationToken(registeredClient,
+                                                   ClientAuthenticationMethod.NONE,
+                                                   null);
+      }
+    }
+  }
+
+  @Override
+  public boolean supports(Class<?> authentication) {
+    return OAuth2ClientAuthenticationToken.class.isAssignableFrom(authentication);
+  }
+
+}
diff --git a/...a/io/meeds/oauth2/server/plugin/OAuthRefreshTokenPublicClientAuthenticationConverter.java b/...a/io/meeds/oauth2/server/plugin/OAuthRefreshTokenPublicClientAuthenticationConverter.java
@@ -0,0 +1,71 @@
+/**
+ * This file is part of the Meeds project (https://meeds.io/).
+ *
+ * Copyright (C) 2020 - 2026 Meeds Association contact@meeds.io
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+package io.meeds.oauth2.server.plugin;
+
+import java.util.Collections;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.web.authentication.AuthenticationConverter;
+import org.springframework.stereotype.Component;
+
+import io.meeds.oauth2.server.service.OAuthClientService;
+
+import jakarta.servlet.http.HttpServletRequest;
+
+@Component
+public final class OAuthRefreshTokenPublicClientAuthenticationConverter implements AuthenticationConverter {
+
+  @Autowired
+  private OAuthClientService oAuthClientService;
+
+  @Override
+  public Authentication convert(HttpServletRequest request) {
+    String grantType = request.getParameter(OAuth2ParameterNames.GRANT_TYPE);
+    if (!AuthorizationGrantType.REFRESH_TOKEN.getValue().equals(grantType)) {
+      return null;
+    }
+    String clientId = request.getParameter(OAuth2ParameterNames.CLIENT_ID);
+    if (StringUtils.isBlank(clientId)) {
+      return null;
+    }
+    RegisteredClient registeredClient = oAuthClientService.getClient(clientId);
+    if (registeredClient == null
+        || !registeredClient.getClientAuthenticationMethods().contains(ClientAuthenticationMethod.NONE)) {
+      return null;
+    } else if (!registeredClient.getAuthorizationGrantTypes()
+                                .contains(AuthorizationGrantType.REFRESH_TOKEN)) {
+      throw new OAuth2AuthenticationException(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT);
+    } else {
+      return new OAuth2ClientAuthenticationToken(clientId,
+                                                 ClientAuthenticationMethod.NONE,
+                                                 null,
+                                                 Collections.emptyMap());
+    }
+  }
+
+}
diff --git a/auth-server-service/src/main/java/io/meeds/oauth2/server/service/OAuthClientService.java b/auth-server-service/src/main/java/io/meeds/oauth2/server/service/OAuthClientService.java
@@ -45,6 +45,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpStatusCode;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient.Builder;
@@ -249,7 +250,12 @@ public RegisteredClient createClient(RegisteredClient client) throws ObjectAlrea
     if (getClient(client.getClientId(), true) != null) {
       throw new ObjectAlreadyExistsException("A client with id '%s' already exists".formatted(client.getClientId()));
     }
-    RegisteredClient clientToCreate = normalizeClient(client.getClientId(), client, null, true);
+    boolean isPublicClient = client.getClientAuthenticationMethods().contains(ClientAuthenticationMethod.NONE);
+
+    boolean shouldApplyPublicDefaults = Objects.equals(client.getClientSettings().getSetting(CLIENT_IS_CIMD_SETTING), true)
+                                        || Objects.equals(client.getClientSettings().getSetting(CLIENT_IS_DCR_SETTING), true)
+                                        || isPublicClient;
+    RegisteredClient clientToCreate = normalizeClient(client.getClientId(), client, null, shouldApplyPublicDefaults);
     saveClient(clientToCreate);
     return getClient(client.getClientId(), true);
   }