Refresh Token with Authorization Code Grant Flow

To get a Refresh token, you must include the offline_access scope when you initiate an authentication request through the authentication endpoint.

For example, if you are using Authorization Code Grant for a confidential client, the authentication request would be similar to the following samples:

  1. Send an authorization request to the authentication endpoint, with the offline_access scope:

    Copy 
    https://server.example.com:8445/idp/domain/login?
    scope=openid%20profile%20offline_access&response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=https://YOUR_APP/callback&state={OPAQUE_VALUE}

  1. With the code obtained in the previous step, send a token request to the token endpoint, with the same client_id as the authorization request:

    Copy 
    POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1Content-Type: application/x-www-form-urlencoded
    Authorization: Bearer Z+KhiAAAAWNzjH1N2CIYsVDj3QN4Q+QBlDfS1c/h
     
    grant_type=authorization_code&code=35256753&redirect_uri=http%3A%2F%2Flocalhost&client_id=OpenID_admin
    Copy

    Get Refresh token response

    HTTP/1.1 200 OK
    Cache-Control: no-store
    Pragma: no-cache
    Content-Type: application/json;charset=UTF-8
     
    {
    "access_token": "TXsPDQAAAWOsBlW9CNksRDNNW0YDZg0C3/x3j35Q",
    "refresh_token": "31701300",
    "id_token": "eyJraWQiOiIxNTI...",
    "token_type": "Bearer",
    "expires_in": 3599
    }

  1. Get a new access token (and a new Refresh token if required) with the Refresh token:

    Copy 
    POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Authorization: Bearer Z+KhiAAAAWNzjH1N2CIYsVDj3QN4Q+QBlDfS1c/h
     
      grant_type=refresh_token&refresh_token=31701300&scope=openid%20profile%20offline_access
    Copy

    Get access token response (and a new Refresh token if required) with the Refresh token

    HTTP/1.1 200 OK
    Cache-Control: no-store
    Pragma: no-cache
    Content-Type: application/json;charset=UTF-8
     
    {
    "access_token": "TXsPDQAAAWOweB74kADgSx0xpzpJXRekii6ergZD",
    "refresh_token": "08905431",
    "id_token":"eyJraW....",
    "token_type": "Bearer",
    "expires_in": 3547
    }
Note: If the offline_access scope is not present in the refresh request, a new Refresh token is not returned.

  • Use case 1 – the original session is not yet expired.

    In this case, the original session/access token will be returned as result of refresh request, as it is still valid.

  • Use case 2 – the original session has expired.

    In this case, a new session/access token will be generated.

In all cases, the same refresh token can be used only once, If it is used the second time, it can be considered as a potential attack, and the session bound to this refresh token will be revoked. An error (invalid_grant) will be returned.