This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

This page is under construction

Refresh token grant can be used when the current access token is expired or need to get a new access token. At this grant type Refresh token act as a credential and is issued to the client by the authorization server. Issuing a refresh token is optional and if the authorization server issues a refresh token, it is included when issuing an access token. WSO2 Identity Server issues refresh tokens for grant types other than implicit grant as recommanded by the specification as well.

Flow:

In order to use this grant type, a refresh token needs to be already received when using a grant type like authorization code, password or client credentials. Then using this received refresh token, a new access token can be received along with a new refresh token without going through any other additional steps.

Recommanded Use:

This refresh token needs to be kept secret similar to the access token. This grant type should be used bearing in mind that, this is issuing access token without a user interaction.

Configurations:

		<!-- Validity period for refresh token -->
		<RefreshTokenValidityPeriod>84600</RefreshTokenValidityPeriod>
		...
        <!-- Enable renewal of refresh token for refresh_token grant -->
        <RenewRefreshTokenForRefreshGrant>true</RenewRefreshTokenForRefreshGrant>
  • RefreshTokenValidityPeriod is mentioned in seconds. By default it is valid for one day.
  • By default "RenewRefreshTokenForRefreshGrant" set to true,
      • we renew the refresh token when refresh grant is used to get an access token --> a new refresh token is issued with a new expiry time
      • previous refresh token is then inactive and can no longer be used
    • If set false,

 

Try Out Scenario with cURL:

curl -k -d "grant_type=refresh_token&refresh_token=<refresh_token>" -H "Authorization: Basic <Base64Encoded(Client_Id:Client_Secret)>" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token

 

 

 

 

 

  • No labels