This documentation is for WSO2 Identity Server 5.1.0 . View documentation for the latest release.
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

Recommended use

The refresh token grant can be used when the current access token is expired or when a new access token is needed. With this grant type, the refresh token acts as a credential and is issued to the client by the authorization server. Issuing a refresh token is optional and if the authorization server issues a refresh token, it is included when issuing an access token. WSO2 Identity Server issues refresh tokens for all other grant types other than the implicit grant as recommended by the OAuth 2.0 specification. 

This refresh token needs to be kept private, similar to the access token. When using this token, keep in mind that it issues the access token without a user interaction.

The flow

In order to use this grant type, a refresh token needs to be already received when using a grant type like authorization code, password or client credentials. Then using this received refresh token, a new access token can be received along with a new refresh token without going through any other additional steps.


  1. The <RefreshTokenValidityPeriod> element is in seconds. By default, it is valid for one day. You can configure this accordingly. 
  2. The <RenewRefreshTokenForRefreshGrant> element is by default set to true.

    The refresh token is renewed when the refresh grant is used to get an access token. A new refresh token is issued with a new expiry time and the previous refresh token is then inactive and can no longer be used.

    If this element is set to false, unless the refresh token has expired, the same refresh token is returned.

		<!-- Validity period for refresh token -->
        <!-- Enable renewal of refresh token for refresh_token grant -->

Try out scenario

Run the following cURL command to try out the refresh token grant. 

curl -k -d "grant_type=refresh_token&refresh_token=<refresh_token>" -H "Authorization: Basic <Base64Encoded(Client_Id:Client_Secret)>" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
  • No labels