Refresh Tokens with OIDC
With the OIDC-conformant pipeline, refresh tokens:
Will no longer be returned when using the implicit grant for authentication.
Can be used by confidential applications.
Can be used with Refresh Token Rotation by public applications when using the Authorization Code Flow with PKCE.
Should use the
/oauth/token
endpoint to get new tokens because the/delegation
endpoint is deprecated.
In addition, differences exist in the refresh token structure. To learn more, read Refresh Tokens.
Legacy (delegation)
POST /delegation
Content-Type: 'application/json'
{
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
"client_id": "...",
"refresh_token": "...",
"scope": "openid profile"
}
Was this helpful?
/
OIDC-conformant (token endpoint)
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=123&client_id=123&client_secret=123&scope=openid+profile&audience=https%3A%2F%2Fapi.example.com
Was this helpful?
/
audience
andclient_secret
parameters are optional.client_secret
is not needed when requesting arefresh_token
for a public application.