<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y0000AOg0JWSQZOkta Identity EngineAdvanced Server AccessAnswered2021-02-07T15:49:07.000Z2021-02-02T23:56:42.000Z2021-02-07T15:49:07.000Z

JaradD.23099 (CDK) asked a question.

February 2, 2021 at 11:56 PM
Refresh ID Token with Refresh Token from PKCE native app

I am trying to get a new id token from the refresh token provided at initial login. The initial login was done with PKCE since we have a public native app.

 

The examples okta provides looks to be fore non-PKCE Authorization Code flow because it has a basic auth Authorization header

 

https://developer.okta.com/docs/guides/refresh-tokens/use-refresh-token/

 

I tried leaving that off and then providing the client_id header and I get:

 

{

"errorCode": "invalid_client",

"errorSummary": "Invalid value for 'client_id' parameter.",

"errorLink": "invalid_client",

"errorId": "oaeY1AplM70QsqFrH9nO_ku3Q",

"errorCauses": []

}

 

headers:

Content-Type: application/x-www-form-urlencoded

grant_type: refresh_token

redirect_uri: http://127.0.0.1:5127/auth

refresh_token: {refresh_token}

client_id: {client_id}

  • 2 answers
  • 699 views

  • JaradD.23099 (CDK)

    This is possible. You are right though it is not documented or shared any where by Okta.

     

    POST https://${yourOktaDomain}/oauth2/default/v1/token

     

    headers:

    content-type:application/x-www-form-urlencoded

     

    body:

    client_id=0oa1….4h4x7

    grant_type=refresh_token

    refresh_token=8vAnXd9…….LiQlIB8R4X5No

     

    That combination of headers and body will allow you to get new ID Tokens and Access Tokens from the Refresh Token.

    Expand Post
    Selected as Best

  • User15730008533963521752 (Vendor Management)

    Hi Jarad,

    This is not being documented as Okta, during this type of flow will be expecting an Okta generated authorization code. Unfortunately it is not currently possible to customize the set of private and public keys used to sign and verify JWTs issued by Okta. As this is not possible right now I would suggest raising a feature request into our ideas portal.

    If you would have further questions or concerns regarding this, kindly open a case with Okta support and we will gladly assist you.

    Thank you,

    Andrei

    Expand Post

  • JaradD.23099 (CDK)

    This is possible. You are right though it is not documented or shared any where by Okta.

     

    POST https://${yourOktaDomain}/oauth2/default/v1/token

     

    headers:

    content-type:application/x-www-form-urlencoded

     

    body:

    client_id=0oa1….4h4x7

    grant_type=refresh_token

    refresh_token=8vAnXd9…….LiQlIB8R4X5No

     

    That combination of headers and body will allow you to get new ID Tokens and Access Tokens from the Refresh Token.

    Expand Post
    Selected as Best
This question is closed.
Loading
Refresh ID Token with Refresh Token from PKCE native app