Refresh Tokens with OIDC

With the OIDC-conformant pipeline, :

Will no longer be returned when using the implicit grant for authentication.
Can be used by confidential applications.
Can be used with Refresh Token Rotation by public applications when using the Authorization Code Flow with PKCE.
Should use the /oauth/token endpoint to get new tokens because the /delegation endpoint is deprecated.

In addition, differences exist in the refresh token structure. To learn more, read Refresh Tokens.

Legacy (delegation)

POST /delegation
Content-Type: 'application/json'
{
  "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
  "client_id": "...",
  "refresh_token": "...",
  "scope": "openid profile"
}

OIDC-conformant (token endpoint)

POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=123&client_id=123&client_secret=123&scope=openid+profile&audience=https%3A%2F%2Fapi.example.com

audience and client_secret parameters are optional.
client_secret is not needed when requesting a refresh_token for a public application.

Refresh Tokens must be kept confidential in transit and storage, and they should be shared only among the authorization server and the client to whom the refresh tokens were issued.

Add Login

Provision Users

Refresh Tokens with OIDC

Legacy (delegation)

OIDC-conformant (token endpoint)

Learn more

Add Login

Provision Users

​Legacy (delegation)

​OIDC-conformant (token endpoint)

​Learn more

Legacy (delegation)

OIDC-conformant (token endpoint)

Learn more