[mitreid-connect] obtaining refresh token ...
Justin Richer
jricher at mit.edu
Thu Dec 22 13:06:17 EST 2016
You can edit the file “log4j.xml” to turn up the logging for debugging purposes.
You don’t fetch scopes from the authorize endpoint, so I don’t know where you’re getting that. The /api/scopes call and the discovery endpoint list the available system scopes.
Incidentally, are you using an implicit client? (Using in-browser javascript?) If so, you won’t get a refresh token at all, ever. They’re not issued for that flow. (Note if you’re using the implicit flow with a non-javascript client application, you’re not using the protocol correctly.)
— Justin
> On Dec 22, 2016, at 11:34 AM, Steven Carmody <steven_carmody at brown.edu> wrote:
>
> thanks for that info !
>
> I went to the admin GUI, and took both of those steps. I didn't re=register my client, but I did click EDIT, and TOKENS, and then clicked "refresh tokens" (Refresh tokens are issued for this client
> This will add the offline_access scope to the client's scopes.).
>
> I also clicked "System Scopes" in the left Nar Bar, clicked EDIT on offline_access, and clicked the box to include it in the default set of scopes.
>
> I then re-ran my client. unfortunately, tho, the server did NOT return a refresh token along with the access token that it issued to my client.
>
> My client code (sorry, I didn't write it, I found it via google) then fetch's scopes from the authorize endpoint (you've elsewhere explained to me -- "Note that those are the scopes available for the *system* and not the ones for a user logged in using OIDC. Those scopes are available as part of the token endpoint’s response in the “scope” field or available (from a protected resource) by introspecting the token.")
>
> oddly, those scopes DO include a refresh token ....
>
> any thoughts on this ?
>
> and .. wondering if there's a way to "turn up the logging" in the server, so we can get a better idea of the flow thru its logic ?
>
> thanks very much !
>
> On 12/16/16 4:47 PM, Justin Richer wrote:
>> You probably had it correct in your request, but your client also needs
>> to be registered in a way to allow requesting that scope. The admin
>> interface will allow this in either the list of scopes or in the
>> "tokens" tab where you can check a box to say the client gets refresh
>> tokens (this has the same effect).
>>
>> -- Justin
>>
>>
>> On 12/16/2016 4:45 PM, Steven Carmody wrote:
>>> thanks ! I added a scope parameter to my access token request, and I
>>> got this response from the server:
>>>
>>> "error_description":"Invalid scope; requested:[offline_access]"
>>>
>>> should I have added the scope request someplace else ?
>>>
>>> On 12/16/16 2:56 PM, Justin Richer wrote:
>>>> You have to request and approve the “offline_access” scope to get a
>>> refresh token. This is true even if you’re not doing OpenID Connect.
>>>>
>>>> — Justin
>>>>
>>>>> On Dec 16, 2016, at 1:57 PM, Steven Carmody
>>>>> <steven_carmody at brown.edu> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> my access token request returns values for access_token and token_type
>>>>> .... do I have to do something special to have this package also return
>>>>> a refresh token ? I didn't think so ... ?
>>>>>
>>>>> thanks !
>>>>> _______________________________________________
>>>>> mitreid-connect mailing list
>>>>> mitreid-connect at mit.edu
>>>>> http://mailman.mit.edu/mailman/listinfo/mitreid-connect
>>>>
>>>
>>
>
More information about the mitreid-connect
mailing list