After an access token is generated, sometimes you might have to refresh or renew the old token due to expiration or security concerns. You use the refresh token grant when the current access token is expired or when a new access token is needed. With this grant type, the refresh token acts as credentials that are issued to the client by the authorization server. Issuing a refresh token is optional. If the authorization server issues a refresh token, it is included when issuing an access token. Refresh tokens are issued for all other grant types other than the implicit grant as recommended by the OAuth 2.0 specification.
| Tip |
|---|
Tip: Be sure to keep the refresh token private, similar to the access token as this token issues access tokens without user interactions. |
To use this grant type, you need a refresh token, using which you can get a new access token along with and a new refresh token. Given below is how to get a token:
- The
<RefreshTokenValidityPeriod>element is in seconds. By default, it is valid for one day. You can configure this accordingly. The
<RenewRefreshTokenForRefreshGrant>element is by default set to true.Info The refresh token is renewed when the refresh grant is used to get an access token. A new refresh token is issued with a new expiry time and the previous refresh token is then inactive and can no longer be used.
If this element is set to false, unless the refresh token has expired, the same refresh token is returned.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<!-- Validity period for refresh token -->
<RefreshTokenValidityPeriod>84600</RefreshTokenValidityPeriod>
...
<!-- Enable renewal of refresh token for refresh_token grant -->
<RenewRefreshTokenForRefreshGrant>true</RenewRefreshTokenForRefreshGrant> |
Try out scenario
Run the following cURL command to try out the refresh token grant.
...
| language | powershell |
|---|
This can be done by issuing a REST call to the Token API through a REST client like cURL, with the following parameters:
- The Token API URL is
https://gateway.api.cloud.wso2.com/token. - payload -
"grant_type=refresh_token&refresh_token=<retoken>&scope=PRODUCTION". Replace the<retoken>value with the refresh token that you generate through the UI. - headers -
Authorization :Basic <base64 encoded string>, Content-Type: application/x-www-form-urlencoded. Replace<base64 encoded string>as appropriate.
For example, the following cURL command can be used to access the Token API and grant a refresh token.
| Code Block |
|---|
curl -k -d "grant_type=refresh_token&refresh_token=<refresh_token><retoken>&scope=PRODUCTION" -H "Authorization: Basic <Base64Encoded(Client_Id:Client_Secret)>" -H "SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh, Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/tokengateway.api.cloud.wso2.com/token |
When you use the refresh grant to get a new access token, the refresh token is renewed by default. To change this behavior, set the <RenewRefreshTokenForRefreshGrant> element to false. The new refresh token has a new expiry time and the previous refresh token becomes inactive. To change the expiry time of your refresh token, set the <RefreshTokenValidityPeriod> element is in seconds.