[mitreid-connect] obtaining refresh token ...

Steven Carmody steven_carmody at brown.edu
Thu Dec 22 11:34:07 EST 2016 

thanks for that info !

I went to the admin GUI, and took both of those steps. I didn't 
re=register my client, but I did click EDIT, and TOKENS, and then 
clicked "refresh tokens" (Refresh tokens are issued for this client
This will add the offline_access scope to the client's scopes.).

I also clicked "System Scopes" in the left Nar Bar, clicked EDIT on 
offline_access, and clicked the box to include it in the default set of 
scopes.

I then re-ran my client. unfortunately, tho, the server did NOT return a 
refresh token along with the access token that it issued to my client.

My client code (sorry, I didn't write it, I found it via google) then 
fetch's scopes from the authorize endpoint (you've elsewhere explained 
to me -- "Note that those are the scopes available for the *system* and 
not the ones for a user logged in using OIDC. Those scopes are available 
as part of the token endpoint’s response in the “scope” field or 
available (from a protected resource) by introspecting the token.")

oddly, those scopes DO include a refresh token ....

any thoughts on this ?

and .. wondering if there's a way to "turn up the logging" in the 
server, so we can get a better idea of the flow thru its logic ?

thanks very much !

On 12/16/16 4:47 PM, Justin Richer wrote:
> You probably had it correct in your request, but your client also needs
> to be registered in a way to allow requesting that scope. The admin
> interface will allow this in either the list of scopes or in the
> "tokens" tab where you can check a box to say the client gets refresh
> tokens (this has the same effect).
>
>  -- Justin
>
>
> On 12/16/2016 4:45 PM, Steven Carmody wrote:
>> thanks ! I added a scope parameter to my access token request, and I
>> got this response from the server:
>>
>> "error_description":"Invalid scope; requested:[offline_access]"
>>
>> should I have added the scope request someplace else ?
>>
>> On 12/16/16 2:56 PM, Justin Richer wrote:
>>> You have to request and approve the “offline_access” scope to get a
>> refresh token. This is true even if you’re not doing OpenID Connect.
>>>
>>>  — Justin
>>>
>>>> On Dec 16, 2016, at 1:57 PM, Steven Carmody
>>>> <steven_carmody at brown.edu> wrote:
>>>>
>>>> Hi,
>>>>
>>>> my access token request returns values for access_token and token_type
>>>> .... do I have to do something special to have this package also return
>>>> a refresh token ? I didn't think so ... ?
>>>>
>>>> thanks !
>>>> _______________________________________________
>>>> mitreid-connect mailing list
>>>> mitreid-connect at mit.edu
>>>> http://mailman.mit.edu/mailman/listinfo/mitreid-connect
>>>
>>
>

More information about the mitreid-connect mailing list