[mitreid-connect] obtaining refresh token ...

Steven Carmody steven_carmody at brown.edu
Fri Dec 23 08:42:36 EST 2016 

thanks for all this info !

yes, I can  use the /api/scopes endpoint, and I do get the scopes and a 
refresh token.

I'm not using an implicit client. Rather, I'm using a client running on 
a different server from MITRED; it uses the authorization code grant flow.

thanks for all the help ! I'll probably be back after the holiday break.

On 12/22/16 1:06 PM, Justin Richer wrote:
> You can edit the file “log4j.xml” to turn up the logging for
> debuggingpurposes.
>
> You don’t fetch scopes from the authorize endpoint, so I don’t know
where you’re getting that. The /api/scopes call and the discovery
endpoint list the available system scopes.
>
> Incidentally, are you using an implicit client? (Using in-browser
javascript?) If so, you won’t get a refresh token at all, ever. They’re
not issued for that flow. (Note if you’re using the implicit flow with a
non-javascript client application, you’re not using the protocol correctly.)
>
> — Justin >
>> On Dec 22, 2016, at 11:34 AM, Steven Carmody <steven_carmody at brown.edu> wrote:
>>
>> thanks for that info !
>>
>> I went to the admin GUI, and took both of those steps. I didn't re=register my client, but I did click EDIT, and TOKENS, and then clicked "refresh tokens" (Refresh tokens are issued for this client
>> This will add the offline_access scope to the client's scopes.).
>>
>> I also clicked "System Scopes" in the left Nar Bar, clicked EDIT on offline_access, and clicked the box to include it in the default set of scopes.
>>
>> I then re-ran my client. unfortunately, tho, the server did NOT return a refresh token along with the access token that it issued to my client.
>>
>> My client code (sorry, I didn't write it, I found it via google) then fetch's scopes from the authorize endpoint (you've elsewhere explained to me -- "Note that those are the scopes available for the *system* and not the ones for a user logged in using OIDC. Those scopes are available as part of the token endpoint’s response in the “scope” field or available (from a protected resource) by introspecting the token.")
>>
>> oddly, those scopes DO include a refresh token ....
>>
>> any thoughts on this ?
>>
>> and .. wondering if there's a way to "turn up the logging" in the server, so we can get a better idea of the flow thru its logic ?
>>
>> thanks very much !
>>
>> On 12/16/16 4:47 PM, Justin Richer wrote:
>>> You probably had it correct in your request, but your client also needs
>>> to be registered in a way to allow requesting that scope. The admin
>>> interface will allow this in either the list of scopes or in the
>>> "tokens" tab where you can check a box to say the client gets refresh
>>> tokens (this has the same effect).
>>>
>>> -- Justin
>>>
>>>
>>> On 12/16/2016 4:45 PM, Steven Carmody wrote:
>>>> thanks ! I added a scope parameter to my access token request, and I
>>>> got this response from the server:
>>>>
>>>> "error_description":"Invalid scope; requested:[offline_access]"
>>>>
>>>> should I have added the scope request someplace else ?
>>>>
>>>> On 12/16/16 2:56 PM, Justin Richer wrote:
>>>>> You have to request and approve the “offline_access” scope to get a
>>>> refresh token. This is true even if you’re not doing OpenID Connect.
>>>>>
>>>>> — Justin
>>>>>
>>>>>> On Dec 16, 2016, at 1:57 PM, Steven Carmody
>>>>>> <steven_carmody at brown.edu> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> my access token request returns values for access_token and token_type
>>>>>> .... do I have to do something special to have this package also return
>>>>>> a refresh token ? I didn't think so ... ?
>>>>>>
>>>>>> thanks !
>>>>>> _______________________________________________
>>>>>> mitreid-connect mailing list
>>>>>> mitreid-connect at mit.edu
>>>>>> http://mailman.mit.edu/mailman/listinfo/mitreid-connect
>>>>>
>>>>
>>>
>>
>

More information about the mitreid-connect mailing list