Configuring Support for Refresh Tokens
Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires (allowing access tokens have a shorter lifetime).
For further information, go to http://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens
Refresh Tokens Support Cases
You can only get a Refresh token if you are using:
-
Authorization Code Grant
-
Authorization Code Grant (PKCE)
-
Resource Owner Password Grant
The Refresh token request for a public client should have the same client_id.
Refresh token support varies according to the grant used:
-
For the Authorization Code Grant or Authorization Code Grant (PKCE):
-
For the Resource Owner Password Grant:
-
If the prompt consent flag is true, offline_access should NOT be supported by the Resource Owner Password Grant as it is not possible to prompt for end-user consent.
-
If the prompt consent flag is false, and offline_access is authorized for the client, the Resource Owner Password Grant can support Refresh tokens. In this case, the OpenID client handles the consent agreement by itself (out of scope of the ActivID Appliance server).
-
If the OpenID client is configured to support the offline_access scope, Refresh tokens are supported (regardless if the prompt consent flag is true or false),
Topics in this section: