[mitreid-connect] obtaining refresh token ...

Justin Richer jricher at mit.edu
Thu Dec 22 13:06:17 EST 2016


You can edit the file “log4j.xml” to turn up the logging for debugging purposes. 

You don’t fetch scopes from the authorize endpoint, so I don’t know where you’re getting that. The /api/scopes call and the discovery endpoint list the available system scopes.

Incidentally, are you using an implicit client? (Using in-browser javascript?) If so, you won’t get a refresh token at all, ever. They’re not issued for that flow. (Note if you’re using the implicit flow with a non-javascript client application, you’re not using the protocol correctly.)

 — Justin

> On Dec 22, 2016, at 11:34 AM, Steven Carmody <steven_carmody at brown.edu> wrote:
> 
> thanks for that info !
> 
> I went to the admin GUI, and took both of those steps. I didn't re=register my client, but I did click EDIT, and TOKENS, and then clicked "refresh tokens" (Refresh tokens are issued for this client
> This will add the offline_access scope to the client's scopes.).
> 
> I also clicked "System Scopes" in the left Nar Bar, clicked EDIT on offline_access, and clicked the box to include it in the default set of scopes.
> 
> I then re-ran my client. unfortunately, tho, the server did NOT return a refresh token along with the access token that it issued to my client.
> 
> My client code (sorry, I didn't write it, I found it via google) then fetch's scopes from the authorize endpoint (you've elsewhere explained to me -- "Note that those are the scopes available for the *system* and not the ones for a user logged in using OIDC. Those scopes are available as part of the token endpoint’s response in the “scope” field or available (from a protected resource) by introspecting the token.")
> 
> oddly, those scopes DO include a refresh token ....
> 
> any thoughts on this ?
> 
> and .. wondering if there's a way to "turn up the logging" in the server, so we can get a better idea of the flow thru its logic ?
> 
> thanks very much !
> 
> On 12/16/16 4:47 PM, Justin Richer wrote:
>> You probably had it correct in your request, but your client also needs
>> to be registered in a way to allow requesting that scope. The admin
>> interface will allow this in either the list of scopes or in the
>> "tokens" tab where you can check a box to say the client gets refresh
>> tokens (this has the same effect).
>> 
>> -- Justin
>> 
>> 
>> On 12/16/2016 4:45 PM, Steven Carmody wrote:
>>> thanks ! I added a scope parameter to my access token request, and I
>>> got this response from the server:
>>> 
>>> "error_description":"Invalid scope; requested:[offline_access]"
>>> 
>>> should I have added the scope request someplace else ?
>>> 
>>> On 12/16/16 2:56 PM, Justin Richer wrote:
>>>> You have to request and approve the “offline_access” scope to get a
>>> refresh token. This is true even if you’re not doing OpenID Connect.
>>>> 
>>>> — Justin
>>>> 
>>>>> On Dec 16, 2016, at 1:57 PM, Steven Carmody
>>>>> <steven_carmody at brown.edu> wrote:
>>>>> 
>>>>> Hi,
>>>>> 
>>>>> my access token request returns values for access_token and token_type
>>>>> .... do I have to do something special to have this package also return
>>>>> a refresh token ? I didn't think so ... ?
>>>>> 
>>>>> thanks !
>>>>> _______________________________________________
>>>>> mitreid-connect mailing list
>>>>> mitreid-connect at mit.edu
>>>>> http://mailman.mit.edu/mailman/listinfo/mitreid-connect
>>>> 
>>> 
>> 
> 




More information about the mitreid-connect mailing list