Scribd
Upload
18 views5 pages

Exercise 3 Refreshtokens 1629384895590

This document describes how to obtain a refresh token and use it to get new access tokens. It involves enabling refresh tokens for an application, requesting a refresh token during authorization by including the "offline_access" scope, exchanging an authorization code for an access token and refresh token, and then using the refresh token to request a new access token.

Uploaded by

uday samala
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views5 pages

Exercise 3 Refreshtokens 1629384895590

This document describes how to obtain a refresh token and use it to get new access tokens. It involves enabling refresh tokens for an application, requesting a refresh token during authorization by including the "offline_access" scope, exchanging an authorization code for an access token and refresh token, and then using the refresh token to request a new access token.

Uploaded by

uday samala
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Refresh Tokens

Description
In this exercise you’ll learn how to obtain a refresh token and use it to get new access tokens.

Estimated Duration
15

Instructions
Make sure you’ve completed the first Getting Started exercise, as you’ll need the account and
setup steps in that exercise to be complete first.

The goal of this exercise is to get a refresh token and use the refresh token to get a new access
token. We will be building on the previous exercise where you used the authorization code flow
to get an access token. Rather than repeat all the setup steps here, we’ll assume you have
already done that exercise.

From the side menu, click Applications and then Applications.

Then select your application you created previously.


Click on Edit under General Settings, then scroll down and enable the Refresh Token
checkbox.
This allows your application to request refresh tokens and use them. Without this checked, the
authorization server will not issue refresh tokens to this application.

Now you’ll want to start a new OAuth flow and request a refresh token. Build the authorization
URL like you did in the previous lesson, but this time also add the scope offline_access to the
request.

https://dev-xxxxxx.okta.com/oauth2/default/v1/authorize?
response_type=code&
scope=offline_access+{YOUR_SCOPE}&
client_id={YOUR_CLIENT_ID}&
state={RANDOM_STRING}&
redirect_uri=https://example-app.com/redirect&
code_challenge={YOUR_CODE_CHALLENGE}&
code_challenge_method=S256

Paste the completed URL into the Refresh Token exercise


(https://oauth.school/exercise/refresh/) to check your work. This will double check that you’ve
included the right scope in the request. Once that’s confirmed, the “Log In” button will appear.
Click that and you’ll be taken to the authorization server, and since you’re already logged in,
you’ll be redirected back immediately with an authorization code in the query string.
Now you’ll need to make a POST request to the token endpoint to get an access token. This
request is the same as before. Replace the placeholder values with your own.

curl -X POST https://dev-xxxxxx.okta.com/oauth2/default/v1/token \


-d grant_type=authorization_code \
-d redirect_uri=https://example-app.com/redirect \
-d client_id={YOUR_CLIENT_ID} \
-d client_secret={YOUR_CLIENT_SECRET} \
-d code_verifier={YOUR_CODE_VERIFIER} \
-d code={YOUR_AUTHORIZATION_CODE}

If everything worked, you’ll get back a response that includes both an access token as well as a
refresh token! Paste the entire token response (not just the access token) into the oauth.school
website to check your work.
If that succeeds, you’ll be taken to the next step. Now you’ll need to use the refresh token to get
a new access token.

Make a POST request to the token endpoint again, but this time you’ll use new parameters to
make the refresh token request.

curl -X POST https://dev-xxxxxx.okta.com/oauth2/default/v1/token \


-d grant_type=refresh_token \
-d client_id={YOUR_CLIENT_ID} \
-d client_secret={YOUR_CLIENT_SECRET} \
-d refresh_token={YOUR_REFRESH_TOKEN}

You should get back a new access token response, which will look similar to the previous
response except this will include a new access token. Paste the entire response into the field to
check the result!

If that worked, you’ll get a message saying you’ve completed the exercise!

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy