Configuring Support for Refresh Tokens

Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires (allowing access tokens have a shorter lifetime).

For further information, go to http://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens

Refresh Tokens Support Cases

You can only get a Refresh token if you are using:

  • Authorization Code Grant

  • Authorization Code Grant (PKCE)

  • Resource Owner Password Grant

Note: Refresh tokens are supported with a public client, (for further information, see Leveraging Proof Key for Code Exchange (PKCE) in the Authorization Code Grant Flow).

The Refresh token request for a public client should have the same client_id.

Refresh token support varies according to the grant used:

  • For the Authorization Code Grant or Authorization Code Grant (PKCE):

  • If the OpenID client is configured to support the offline_access scope, Refresh tokens are supported (regardless if the prompt consent flag is true or false),

  • For the Resource Owner Password Grant:

    • If the prompt consent flag is true, offline_access should NOT be supported by the Resource Owner Password Grant as it is not possible to prompt for end-user consent.

    • If the prompt consent flag is false, and offline_access is authorized for the client, the Resource Owner Password Grant can support Refresh tokens. In this case, the OpenID client handles the consent agreement by itself (out of scope of the ActivID Appliance server).

Topics in this section: