Using Refresh Tokens

At the same time as you obtain an OAuth access token, you can also choose to obtain a refresh token. If you choose to obtain a refresh token, it can be used to obtain a new access token when the previous token expires. Refresh tokens are optional, but using them avoids the need for re-authentication every time an access token expires.

When you use a refresh token to retrieve a new access token, the new token is generated using the expiry of the scope you passed in the initial access token request.

Enabling Refresh Tokens

To enable refresh tokens, you might have to edit your identity provider's confidential application to enable the refresh token grant type.

Obtaining Refresh Tokens

To obtain a refresh token, you must add "offline_access" to the scope object you use when you call the oauth2/v1/token endpoint. For example:

urn:opc:idm:__myscopes__ offline_access

The response will include a refresh token as well as the OAuth access token. For example:

{'access_token': '<OAuth_access_token>', 'token_type': 'Bearer', 'expires_in': <token_expiration>, 'refresh_token': '<refresh_token>'}

Using Refresh Tokens

To use the refresh token to generate a new access token, you must call your /oauth2/v1/token endpoint using the refresh_token grant type.

Here is an example call to generate a refresh token using Client ID and Client Secret:

The variables in this example must be replaced with the following information:

• <identity_domain_url>: The URL of your OCI identity domain.
• <base64_encoded_clientID:client_secret>: The Base64 encoded client ID and client secret provided by your identity provider.
• <refresh_token>: The refresh token generated by the confidential application.

  POST https://<identity_domain_url>/oauth2/v1/token
   
        Headers: 
          Content-Type: application/x-www-form-urlencoded 
          Authorization: Basic <base64_encoded_clientID:client_secret> 
         
        Body (newlines for clarity): 
          grant_type=refresh_token 
          &refresh_token=<refresh_token>
  
  

Here is an example call to generate a refresh token using JWT client assertion:

The variables in this example must be replaced with the following information:

• <identity_domain_url>: The URL of your OCI identity domain.
• <refresh_token>: The refresh token generated by the confidential application.
• <base64_encoded_clientID:client_secret>: The Base64 encoded client ID and client secret provided by your identity provider.
• <base64_encoded_JWT_client_assertion>: The Base64 encoded client assertion generated by your identity provider.

  POST https://<identity_domain_url>/oauth2/v1/token 
         
        Headers: 
          Content-Type: application/x-www-form-urlencoded 
         
        Body (newlines for clarity): 
          grant_type=refresh_token 
          &refresh_token=<refresh_token> 
          &client_id=<base64_encoded_clientID:client_secret> 
          &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer 
          &client_assertion=<base64_encoded_JWT_client_assertion>