I have the following scenario in which the Resource Server is given an access token as well as a refresh token while requesting a resource (in my case a REST API).
The Authentication Server is a remote server, so I have implemented the Resource Server by using RemoteTokenServices and @EnableResourceServer.
The scenario works like this: the user goes to a login form and provides its username and password. The Client validates the credentails with the Auth Server and when successful it saves a cookie in the user browser with the access and refresh token.
Now the User goes to another subdomain (technically accessing another application) and is expected to be recognized.
The Client and the Resource Server do not have any communication links.
I am aware that it is not best practice to have the refresh token leave the client.
Now my question: since I already have the refresh token, I would like to extend the functionality of my application by allowing the RS to refresh tokens as well. I know that according to the OAuth2 specification, this is not the role of the RS. Does it mean I need to implement the Client? If yes, how do I do that?