Token Refresh Flow

Overview

When an access token expires, you can use the refresh token to obtain a new access token without requiring the user to log in again.

Implementation

async function refreshToken(refreshToken) {
const response = await fetch(`${authServerUrl}/protocol/openid-connect/token`, {
  method: 'POST',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded'
  },
  body: new URLSearchParams({
    grant_type: 'refresh_token',
    client_id: clientId,
    client_secret: clientSecret,
    refresh_token: refreshToken
  })
});

const tokens = await response.json();
return tokens;
// Returns: { access_token, refresh_token, id_token }
}

Required Parameters

grant_type: Set to "refresh_token"
client_id: Your application's client ID
client_secret: Your application's client secret
refresh_token: The refresh token from the previous token response

Response

The response includes:

access_token: New access token
refresh_token: New refresh token (if enabled)
token_type: Usually "Bearer"
expires_in: Token lifetime in seconds

Best Practices

Store refresh tokens securely (HTTP-only cookies)
Implement token refresh before access token expires
Handle refresh token expiration gracefully
Rotate refresh tokens for better security

Token Refresh Flow

Overview

When an access token expires, you can use the refresh token to obtain a new access token without requiring the user to log in again.

Implementation

async function refreshToken(refreshToken) {
const response = await fetch(`${authServerUrl}/protocol/openid-connect/token`, {
  method: 'POST',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded'
  },
  body: new URLSearchParams({
    grant_type: 'refresh_token',
    client_id: clientId,
    client_secret: clientSecret,
    refresh_token: refreshToken
  })
});

const tokens = await response.json();
return tokens;
// Returns: { access_token, refresh_token, id_token }
}

Required Parameters

grant_type: Set to "refresh_token"
client_id: Your application's client ID
client_secret: Your application's client secret
refresh_token: The refresh token from the previous token response

Response

The response includes:

access_token: New access token
refresh_token: New refresh token (if enabled)
token_type: Usually "Bearer"
expires_in: Token lifetime in seconds

Best Practices

Store refresh tokens securely (HTTP-only cookies)
Implement token refresh before access token expires
Handle refresh token expiration gracefully
Rotate refresh tokens for better security