Refresh Token
When the client has received its initial access token, it can be efficient to refresh the token when it expires, or if the tokens scope or audience needs to be updated.
The use case is covered by the refresh_token grant type, which exchanges a fresh access token by a refresh_token.
The refresh token typically has a longer lifetime than the access tokens, and can be defined in the client metadata.
If the refresh token request uses DPoP, and the client is public, then the refresh token must also be DPoP bound. It is recommended to sender-constraint the refresh token, instead of rotating refresh tokens.
| Name | Description |
|---|---|
| OAuth2.1 | Core specification for OAuth |
| OpenId Connect | Core specification for OpenId Connect |
The request contains a refresh token from the initial token request, which returned the first token from another grant such as authorization_code.
It is possible to change the scope and audience of the access token, through the parameters "scope" and "resource".
The following HTTP example shows a token request using the code from the identity provider.
POST /connect/token HTTP/1.1
Host: idp.authserver.dk
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=refresh_token
&refresh_token=SplxlOBeZQQYbYS6WxSbIA
&scope=weather:read
&resource=https%3A%2F%2Fapi-one.protectedresource.dk
The following HTTP example shows a token response containing tokens exchanged from the refresh token.
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"Bearer",
"expires_in":3600,
"scope":"weather:read",
"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI...",
"grant_id":"78FF77E8-F146-4F37-9C28-5FD0BC936980"
}