Refresh Token
When the client has received its initial access token, it can be efficient to refresh the token when it expires, or if the tokens scope or audience needs to be updated.
The use case is covered by the refresh_token grant type, which exchanges a fresh access token by a refresh_token.
The refresh token typically has a longer lifetime than the access tokens, and can be defined in the client metadata.
If the refresh token request uses DPoP, and the client is public, then the refresh token must also be DPoP bound.
| Name | Description |
|---|---|
| OAuth2.1 | Core specification for OAuth |
| OpenId Connect | Core specification for OpenId Connect |
The request contains a refresh token from the initial token request, which returned the first token from another grant such as authorization_code.
It is possible refresh a token, and only contain a subset of the grant's scope. Then you would need to pass a scope parameter along the request.
You can also keep the original scope, and omit the scope parameter.
The following HTTP example shows a token request using the code from the identity provider.
POST /connect/token HTTP/1.1
Host: idp.authserver.dk
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=refresh_token
&refresh_token=SplxlOBeZQQYbYS6WxSbIA
The following HTTP example shows a token response containing tokens exchanged from the refresh token.
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"Bearer",
"expires_in":3600,
"scope":"weather:read",
"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI...",
"grant_id":"78FF77E8-F146-4F37-9C28-5FD0BC936980"
}