This page is under construction
Refresh token grant can be used when the current access token is expired and need to get a new access token. Here Refresh token act as a credential and is issued to the client by the authorization server. Issuing a refresh token is optional and if the authorization server issues a refresh token, it is included when issuing an access token. WSO2 Identity Server issues refresh tokens for grant types other than implicit grant.
Flow:
In order to use this grant type, a refresh token needs to be already received when using a grant type like authorization code, password or client credentials. Then using this received refresh token, a new access token can be received along with a new refresh token without going through any other additional steps.
Recommanded Use:
This refresh token needs to be kept secret similar to the access token.
Configurations:
<!-- Validity period for refresh token -->
<RefreshTokenValidityPeriod>84600</RefreshTokenValidityPeriod>
...
<!-- Enable renewal of refresh token for refresh_token grant -->
<RenewRefreshTokenForRefreshGrant>true</RenewRefreshTokenForRefreshGrant>
- RefreshTokenValidityPeriod is mentioned in seconds. By default it is valid for one day.
- By default "RenewRefreshTokenForRefreshGrant" set to true,
- we renew the refresh token when refresh grant is used to get an access token --> a new refresh token is issued with a new expiry time
- previous refresh token is then expired and can no longer be used
- If set false,
- unless refreshGrant is called, the same refresh token is returned irrespective of the expiry time set for the refresh token
Try Out Scenario with cURL:
curl -k -d "grant_type=refresh_token&refresh_token=<refresh_token>" -H "Authorization: Basic <Base64Encoded(Client_Id:Client_Secret)>" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token