Applying Refresh Token

After user authentication is completed, both the access token and refresh token will be returned. When the access token expires, you can use the refresh token to obtain a new access token.

Example request:

curl -v -X POST https://{digiRunner_DOMAIN}/oauth/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Authorization: Basic {client_secret}' \
-d 'grant_type=refresh_token' \
-d 'refresh_token={refresh_token}'

Parameters with details:

Parameter

Type

Requirement

Description

client_secret

String

Required

Scenario I. Higher-Security (Client Password Required)

1. Client Password registered with digiRunner; needs to be encoded with Base64

2. Concatenate the client ID with ":" and the encoded client password, then encode the result with Base64 again to generate the value to be used

3. Example:

Client ID: tspclient

Client Password: tsp123abcd

Formula for generating the value:

Base64 Encode(ClientID+":"+Base64 Encode(Client Password))

Base64 Encode(tspclient+":"+Base64 Encode(tsp123abcd))

Base64 Encode(tspclient:dHNwMTIzYWJjZA==)

Output for client_secret:

dHNwY2xpZW50OmRITndNVEl6WVdKalpBPT0=

Scenario II. PKCE + Public Client (Client Password Not Required)

When the Public Client (With PKCE) option is selected in digiRunner's OAuth grant type, the client password is not required.

1. Concatenate the client ID with ":" (no client password is required)

2. Example:

Client ID: tspclient

Client Password: ""

Formula for generating the value:

Base64 Encode(ClientID+":")

Base64 Encode(tspclient+":")

Base64 Encode(tspclient:)

Output for client_secret:

dHNwY2xpZW50Og==

grant_type

String

Required

refresh_token, a fixed value

refresh_token

String

Required

Refresh Token, associated with the access token that requires refreshing

If the refresh token has expired, you must prompt the user to log in again to generate a new access token.

Example of Successful Response

If the refresh is successful, a new access token will be returned.

Example:

{
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJub2RlIjoiZXhlY3V0b3IxIiwiYXVkIjpbIllXUnRhVzVCVUVrIl0sInVzZXJfbmFtZSI6InRzcHVzZXIiLCJvcmdfaWQiOiIxMDAwMDAiLCJzY29wZSI6WyIyMDAwMDAwMDA2Il0sInN0aW1lIjoxNjg0ODA5NzE3NjY4LCJleHAi...",
    "expires_in": 86399,
    "jti": "41fa8a7b-b21d-4598-b254-5ffbed8b619f",
    "node": "executor1",
    "org_id": "100000",
    "refresh_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJub2RlIjoiZXhlY3V0b3IxIiwiYXVkIjpbIllXUnRhVzVCVUVrIl0sInVzZXJfbmFtZSI6InRzcHVzZXIiLCJvcmdfaWQiOiIxMDAwMDAiLCJzY29wZSI6WyIyMDAwMDAwMDA2Il0sImF0aSI6ImMyYzAzNTc0LTI2ODItNGYwMi...",
    "scope": "2000000006",
    "stime": 1684742522981,
    "token_type": "bearer"
}

Example of Error Response

If the refresh token has expired, a 401 Unauthorized HTTP status code and JSON response will be returned.

Example:

{
    "error": "invalid_token",
    "error_description": "Invalid refresh token (expired): eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJub2RlIjoiZXhlY3V0b3IxIiwiYXVkIjpbIllXUnRhVzVCVUVrIl0sInVzZXJfbmFtZSI6InRzcHVzZXIiLCJvcmdfaWQiOiIxMDAwMDAiLCJzY29wZSI6WyIyMDAwMDAwMDA2Il0sImF0aSI6ImMyYzAzNTc0LTI2ODItNGYwMi..."
}

PreviousToken Lifecycle Management Mechanism NextToken Revocation

Was this helpful?