I have a public client which gets JWT access token. I need it to get another one (not refresh, but for some other purpose) and I need it to do it without a user interaction.
As a result, I am trying to figure out whether there is a standard OAuth flow where I can use (JWT) access token (issued in a previous OAuth flow) to be used to authenticate for another OAuth flow (I can't authentication with the client secret since it's a public client).
All the things which I found are not a perfect match.
It does allow to authenticate via JWT token. However, it requires a client to issue JWT token (signed by a certificate owned by the client) and it checks for the signature. As a result, I can't use JWT access token which was issued by the Authorization server for this purpose.
This one allows using JWT access token and get another JWT access token. So close, but no cigar. JWT access token is not used for authentication in this flow. As a result, you still need client id + client secret to authenticate
- Token refresh
This one potentially can be used it. Just use the refresh token to get a new JWT access token. However, it feels hacky. (I may need to do this operation a lot, as a result, it feels like an abuse of token refresh mechanics. Also, my guess is it will gradually pollute DB with used refresh tokens (this is a tiny secondary concern, however, again this solution feels hacky).
Am I missing anything?