This article explains how to retrieve a refresh token and what authentication flows are supported.

• /token request endpoint
• refresh token functionality

The authentication flows available for obtaining a refresh token:

• Authorization Code flow
• Resource Owner Password 

The OIDC application settings required from Okta Admin Dashboard > Applications > (select the OIDC client) > General Settings > Grant type.

• The refresh token grant type must be enabled.

1. How to retrieve the refresh token using Authorization Code flow:

• • The offline_access scope, must be included in the authorization request.

Example:

https://{yourOktaDomain}/oauth2/v1/authorize?
   client_id=0oabucvyc38HLL1ef0h7&
   response_type=code&scope=openid offline_access&
   redirect_uri=https%3A%2F%2Fexample.com&
   state=state-296bc9a0-a2a2-4a57-be1a-d0e2fd9bb601

In this case, the next step of the flow is the /token call. (grant_type: authorization_code)

The response returned from the /token request will contain the id_token, access_token, and refresh_token.

2. How to retrieve the refresh token using Resource Owner Password:

• • The offline_access scope must be included in the /token request.

Example:

curl --location 'https://{yourOktaDomain}/oauth2/v1/token' \
--header 'Accept: application/json' \
--header 'Authorization: Basic MG9hYn...' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=testuser@example.com' \
--data-urlencode 'password=%7CmCovrlnU9oZU4qWGrhQSM' \
--data-urlencode 'scope=openid offline_access'

In this case, the /token call is the only step of the flow, and the response will contain the id_token, access_token, and refresh_token.

Related References

• Refresh Token Expiration Behaviour