OAuth 2.0 Refresh Tokens
⚠️ UNDER DEVELOPMENT: This feature is under development and not ready for production use. Please use only for testing. Please note that the base address for this api is the Momentum Login security service.
This authorization flow uses the refresh_token grant type (see RFC 6749 for details).
The refresh token can be used to request a new access token. When a new access token is returned using this method, a new refresh token is also returned that replaces the old refresh token to prevent token replay. The old refresh token must not be used again and doing so triggers anomaly detection. Never perform more than one auth request at a time using grant type refresh_token to avoid race conditions.
Clients may use retry logic to retry failed refresh_token requests. When a refresh token is used, a new is generated and the old is invalidated 30 seconds in the future. This allows retry attempts during that time interval without triggering anomaly detection. Do not send refresh_token requests more than 30 seconds after the first failed request was sent. Doing so may trigger anomaly detection and may disable the application, and/or sign out all sessions of the user in all applications.
A refresh token may be revoked at any time due to user initiated sign out or other reasons, e g when anomaly is detected or when an account is disabled by an administrator. If the refresh token is invalid or has expired, the api will return an error. The client must gracefully handle this error and allow the user to start a new login process.
Refreshing an Access Token
POST /api/auth/oauth2/token
?grant_type=refresh_token
&refresh_token=B56BiRe4a135Aj337qFEaf66A144vki
Response
IMPORTANT: If a id_token is returned, the nonce of the JWT must be validated against the previously genererated and stored nonce (sent as nonce in the initial request). If the nonce of the received JWT doesn't match the initially generated, the login attempt must be rejected.