OpenID Connect / OAuth refresh_token grant - integration guide for developers

Overview

This guide describes how to use the refresh_token from PhenixID Authentication Services OP/AS to obtain new access- and refresh tokens

Prerequisites

- PhenixID Authentication Services OP/AS configured to issue refresh_token

- OAuth/OIDC OP Discovery URL

- RP client_id

- RP client_secret (OPTIONAL, not used if OP is setup with PKCE)

Fetch refresh_token

The refresh token is first returned on the OP/AS authorization_code grant request. Example response:

{    
"access_token": "38cc42f2-06b4-4f80-ad92-4c7b6a64fb33",    
"refresh_token": "cdaa3635-53cd-4621-9ed5-c2dd1e9e0ee3",    
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkFQX2lwMDk0aDdVR3dXT3EydVd3dVByZC1udyJ9.eyJzdWIiOiJhZCIsImlhdCI6MTY0OTkzNzEwMiwibmJmIjoxNjQ5OTM3MTAyLCJleHAiOjE2NDk5MzcxOTIsImp0aSI6IjliNTM4MGVlLWY0OTEtNDdhMC1hNmY1LWQ2YmU0M2ZmZDA0YiIsIm5vbmNlIjoiIiwiYXVkIjoicmVmX3Rva2VuX2NsaWVudCIsImlzcyI6Imh0dHBzOi8vdGVzdGxhYi5waGVuaXhpZC5uZXQvcmVmX3Rva2VuX29wIiwiYW1yIjpbInB3ZCJdLCJnaXZlbl9uYW1lIjoiS2FsbGUiLCJmYW1pbHlfbmFtZSI6IkFua2EifQ.hw1DnS9manpiTfqVCVZjuPEhq8W6g3sF44So9jbSKdDLsL8odi2BRp8p0wwaJRV7H7hGTTT7_yP1krpWpC2owdoPDnsmnTsZ8lPnyj_7xdFIM8gJetCytgEu-MWA8jlQd7jaQSmcV-r8ieug-upUc-oVYEx1krbOn09M3XXfWwWK6a1LeFlWGyU6xfB8FExrwIP313uelUHmvNhVngXfDGGOOnq7Hs6SGwW-XiTa17s8BB-6qYUicOvqgNta8oIM-0xX0X19nviJ1DCyb81_BLBZLGBgB-_brAdDgG0tduNCznWirywNjgpkInpkcLDEuqR0TzghFhZ4xGZn_LyxJg",    "token_type": "Bearer"
}

New refresh tokens may also be issued when requesting new access tokens (see below).

Call token endpoint with the refresh_token grant type

Request

Method: HTTP POST

Endpoint: <This value is fetched from the OAuth/OIDC discovery URL -> token_endpoint_url)
Example: /api/authentication/ref_token_op/0210042f-53c0-4ab9-91e3-3b216b861b9c

Headers:

Name Value
Mandatory Comment
Content-Type application/x-www-form-urlencoded
Yes

Body:

client_id=<client_id>&client_secret=<client_secret_only_when_not_PKCE>t&grant_type=refresh_token&scope=openid&refresh_token=<refresh_token>

Example request

 

PUT /api/authentication/revoke?tenant=t1 HTTP/1.1
Host: integration.phenixid.se
Content-Type: application/json
Authorization: Basic ZG9uYWxkOnRydW1wZQ==
cache-control: no-cache

client_id=ref_token_client&client_secret=ref_token_client
&grant_type=refresh_token&scope=openid
&refresh_token=cdaa3635-53cd-4621-9ed5-c2dd1e9e0ee3

 

 

 

Response

Response

The HTTP Response status code may have one of these values:

- 200 if the request was successfully processed

- 403 if authentication failed or any error occured.

 

Response body (id_token is not present in OAuth scenarios):

 {    
"access_token": "62eb384b-7e74-4a0a-9367-797df4866a4e",    
"refresh_token": "70002193-e855-426d-b6b5-08565943f4d8",    
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkFQX2lwMDk0aDdVR3dXT3EydVd3dVByZC1udyJ9.eyJzdWIiOiJhZCIsImlhdCI6MTY0OTkzNzU4NCwibmJmIjoxNjQ5OTM3NTg0LCJleHAiOjE2NDk5Mzc2NzQsImp0aSI6ImE3OWQ2ZGYzLTNiODUtNGU2My1hNDRlLTE3OThlMzk3YjkxZSIsIm5vbmNlIjoiIiwiYXVkIjoicmVmX3Rva2VuX2NsaWVudCIsImlzcyI6Imh0dHBzOi8vdGVzdGxhYi5waGVuaXhpZC5uZXQvcmVmX3Rva2VuX29wIiwiYW1yIjpbInB3ZCJdLCJnaXZlbl9uYW1lIjoiS2FsbGUiLCJmYW1pbHlfbmFtZSI6IkFua2EifQ.kDUV4yhfvYrEOU-C6cMWZkyZyOAWQ0KTFnkyu-PDSyYZLaBIt720cMyAdZbPjHGtS1_lbU72icCgZjWemQr6JpPqebpbDqwsQWRg5QlHffCVHBNhIdZQXKbUCwuyiPJPN4EoZCipqDlU-lbzVm-st0K9YyKKiXz1_oTKpmkjAier1awx81VdvZsnyyZq29VINsuwj3wEqgVl4AITN2MCjOpQWPAlNzWyZtIHAiXFCr-98xucm7Trq4jTWX7P1ifVMFAkiARDSJg2JjVRKTEp3SotvA1kN0rgVGNkcc49Eoy2hwnAEB8iB7iGZKHfQBLwmweATRluJ0LybFH81X1rDA",    "token_type": "Bearer"}