Not Able to Get the Refresh Token Back from Okta's Authorization Server or Custom Authorization Server
Sep 11, 2025
Okta Classic Engine
API Access Management
Overview
Trying to obtain a refresh token from Okta's Authorization Server or the Custom Authorization Server using Authorization Code, Authorization Code w/ PKCE, or Resource Owner Password flows does not result in a refresh token being returned, even when the offline_access scope is requested.
Example of a call using Org Authorization Server:
POST https://{OktaDomain}.okta.com/oauth2/v1/token
grant_type=password
&username=example%40mailinator.com
&password=a.gReAt.pasSword
&scope=openid%20offline_access
Example of a call using Custom Authorization Server:
POST https://{OktaDomain}.okta.com/oauth2/{authorizationServerID}/v1/token
grant_type=password
&username=example%40mailinator.com
&password=a.gReAt.pasSword
&scope=openid%20offline_access
Applies To
- OAuth 2.0
- OpenID Connect (OIDC)
- Okta Classic Engine
Cause
The API calls are correct. However, the OIDC app prerequisite has not been met. After configuring an OIDC application in the Admin UI, ensure that the Grant type includes the Refresh Token.
Solution
To enable the retrieval of a "Refresh Token":
- Navigate to the OIDC app in the Admin UI.
- Click the General tab.
- Locate Grant type in the General Settings section.
- Ensure Refresh Token is selected, as shown in the screenshot below.
Related References
- Authorization Code
- Authorization Code w/ PKCE
- Resource Owner Password
- Refresh access tokens and rotate refresh tokens
