OAuth: Support for Refresh Tokens

Becky_Powell · March 27, 2020, 4:02pm

Category: API, Informational

Summary: Genesys Cloud is introducing support for refresh tokens, as specified in RFC 6749 section 1.5 (https://tools.ietf.org/html/rfc6749#section-1.5). Reference: PURE-2987.

Context: Refresh tokens may be used to request a new access token. Common use cases include getting new access tokens after old ones have expired, or getting access to a new resource for the first time.

Impact: Refresh tokens will be included along with the access token during a code exchange.

Refresh tokens may be revoked without notice, and applications should gracefully handle that scenario by redirecting the user-agent for authorization (as they do currently).

The refresh token grant type requires client credentials, and is therefore only usable by confidential clients (code authorization).

Date of Change: April 29th, 2020

Impacted APIs:

OAuth

TheRealKevinGlinski · March 27, 2020, 4:23pm

Nice! are there known scenarios where a refresh token would be revoked, or would it just fall under the bad actor app scenarios that would cause access tokens to be revoked?

john · March 30, 2020, 5:57pm

Refresh tokens will be revoked if the user explicitly logs out, their password changes, or all thier tokens are invalidated. The refresh token will not be revoked if the users authenticated http session expires.

Becky_Powell · June 1, 2020, 5:57am

This topic was automatically closed 62 days after the last reply. New replies are no longer allowed.