0D50Z00008OJhYQSA1Okta Classic EngineSingle Sign-OnAnswered2024-04-15T09:14:28.000Z2018-09-19T21:00:41.000Z2018-10-12T18:42:39.000Z

f3es4 (f3es4) asked a question.

September 19, 2018 at 9:00 PM
[openid connect] how to grant offline_access scope?

A refresh_token is not being returned by openid provider in response to the token endpoint. So, though "refresh token" grant is enabled for the user, it may require offline_access scope to be granted so that refresh_token is also returned along with access_token, id_token (as per the response parameters table documentation in https://developer.okta.com/docs/api/resources/oidc*token).. Currently the user is granted openid and profile scope. How to grant offline_access scope?

  • 1 answer
  • 4.21K views

  • alex.susu1.5222280451736545E12 (Vendor Management)

    Hi Shyam,

     

     

     

    As per documentation, the request should be :

     

     

     

    h://atko.oktapreview.com/oauth2/default/v1/authorize?client_id=0oabv6kx4qq6

     

    h1U5l0h7responsetype=id_token tokenscope=openidredirect_uri=http%3A%2F%2Flocalhost%3

     

    A8080state=state-296bc9a0-a2a2-4a57-be1a-d0e2fd9bb601nonce=foo'

     

     

     

    and the response follows as:

     

     

     

     

     

     "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ2ZXIiOjEsImp0aSI6IkFULm43cUkyS2hnbjFSZkUwbllQbFJod0N6UmU5eElIOUQ1cXFQYzNBNTQzbDQiLCJpc3MiOiJodHRwczovL21pbG xpd2F5cy5va3RhLmNvbS9vYXV0aDIvYXVzOXVnbGRjbTJ0SFpqdjQwaDciLCJhdWQiOiJodHRwczovL21pbGxpd2F5cy5va3RhLmNvbSIsImlhdCI6MTQ4OTY5Nzk0NSwiZXhwIjoxNDk1MjIxMTQ1LCJjaWQiOiJBeD VYclI0YU5Ea2pDYWNhSzdobiIsInVpZCI6IjAwdTljcDFqY3R3Ymp0a2tiMGg3Iiwic2NwIjpbIm9wZW5pZCIsIm9mZmxpbmVfYWNjZXNzIl0sInN1YiI6ImZvcmQucHJlZmVjdEBtaWxsaXdheXMuY29tIn0.hb3oS9 2Nb7QmLz299SfB-qqTP9GsMtc2umA2sJwe4",

    token_type": Bearer",

    expires_in": 3600,

    scope": opnid offline_access",

    refresh_token": IJFLydLpLZ7-9spMSePkqgBSTnjBluJIJi6HESG84cE",

    id_token":eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIwMHU5Y3AxamN0d2JqdGtrYjBoNyIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9taWxsaXdheXMub2t0YS5jb20vb2F1dGgyL2F1czl1Z2 xkY20ydEhaanY0MGg3IiwiYXVkIjoiQXg1WHJSNGFORGtqQ2FjYUs3aG4iLCJpYXQiOjE0ODk2OTc5NDUsImV4cCI6MTQ5NTIyMTE3NSwianRpIjoiSUQuNEVvdWx5WnM4MU9aaVdqQWNHQWdadmg0eUFScUdacjIwWF RLdW1WRDRNMCIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvOWNwMWpjNmhjc0dWN2kwaDciLCJub25jZSI6ImNjYmJmNDNkLTc5MTUtNDMwMC05NTZkLWQxYjc1ODk1YWNiNyIsImF1dGhfdGltZSI6MTQ4OTY5NjAzNy wiYXRfaGFzaCI6IlRoaHNhUFd6bVlKMVlmcm1kNDM1Q0EifQ_uLqItzLzKb6m6G2-Jqs6OmrG_iWMg0P6UKQqzVggPc"

     

     

     

     

     

    Then you can check it with a preview under Security>API>Authorization server. If the issues continue please open a support case.

    Expand Post
    Selected as Best

  • alex.susu1.5222280451736545E12 (Vendor Management)

    Hi Shyam,

     

     

     

    As per documentation, the request should be :

     

     

     

    h://atko.oktapreview.com/oauth2/default/v1/authorize?client_id=0oabv6kx4qq6

     

    h1U5l0h7responsetype=id_token tokenscope=openidredirect_uri=http%3A%2F%2Flocalhost%3

     

    A8080state=state-296bc9a0-a2a2-4a57-be1a-d0e2fd9bb601nonce=foo'

     

     

     

    and the response follows as:

     

     

     

     

     

     "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ2ZXIiOjEsImp0aSI6IkFULm43cUkyS2hnbjFSZkUwbllQbFJod0N6UmU5eElIOUQ1cXFQYzNBNTQzbDQiLCJpc3MiOiJodHRwczovL21pbG xpd2F5cy5va3RhLmNvbS9vYXV0aDIvYXVzOXVnbGRjbTJ0SFpqdjQwaDciLCJhdWQiOiJodHRwczovL21pbGxpd2F5cy5va3RhLmNvbSIsImlhdCI6MTQ4OTY5Nzk0NSwiZXhwIjoxNDk1MjIxMTQ1LCJjaWQiOiJBeD VYclI0YU5Ea2pDYWNhSzdobiIsInVpZCI6IjAwdTljcDFqY3R3Ymp0a2tiMGg3Iiwic2NwIjpbIm9wZW5pZCIsIm9mZmxpbmVfYWNjZXNzIl0sInN1YiI6ImZvcmQucHJlZmVjdEBtaWxsaXdheXMuY29tIn0.hb3oS9 2Nb7QmLz299SfB-qqTP9GsMtc2umA2sJwe4",

    token_type": Bearer",

    expires_in": 3600,

    scope": opnid offline_access",

    refresh_token": IJFLydLpLZ7-9spMSePkqgBSTnjBluJIJi6HESG84cE",

    id_token":eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIwMHU5Y3AxamN0d2JqdGtrYjBoNyIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9taWxsaXdheXMub2t0YS5jb20vb2F1dGgyL2F1czl1Z2 xkY20ydEhaanY0MGg3IiwiYXVkIjoiQXg1WHJSNGFORGtqQ2FjYUs3aG4iLCJpYXQiOjE0ODk2OTc5NDUsImV4cCI6MTQ5NTIyMTE3NSwianRpIjoiSUQuNEVvdWx5WnM4MU9aaVdqQWNHQWdadmg0eUFScUdacjIwWF RLdW1WRDRNMCIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvOWNwMWpjNmhjc0dWN2kwaDciLCJub25jZSI6ImNjYmJmNDNkLTc5MTUtNDMwMC05NTZkLWQxYjc1ODk1YWNiNyIsImF1dGhfdGltZSI6MTQ4OTY5NjAzNy wiYXRfaGFzaCI6IlRoaHNhUFd6bVlKMVlmcm1kNDM1Q0EifQ_uLqItzLzKb6m6G2-Jqs6OmrG_iWMg0P6UKQqzVggPc"

     

     

     

     

     

    Then you can check it with a preview under Security>API>Authorization server. If the issues continue please open a support case.

    Expand Post
    Selected as Best
This question is closed.

Recommended content

No recommended content found...