See openid-connect Menu

Refresh an Access Token


Deprecation Notice

There is a more recent version of this OpenId Connect API available. Learn more.

This endpoint will be deprecated on November 2nd 2020.

Use this API to refresh the session for a user and generate a new set of access tokens.

Note, when creating a session via Username/Password a refresh_token is only returned when the Refresh Token Timeout period has been set for your OpenId Connect app in the OneLogin portal.


Resource URL

https://<region>.onelogin.com/oidc/token

Header Parameter

Authorization

string

Required if Token Endpoint Authentication Method is set to Basic

Set to Basic <base64 encoded "clientId:clientSecret">.

The client_id and client_secret are generated when you configure your OpenId Connect app in OneLogin.

e.g. Using Node.js this would be

new Buffer(`${this.client_id}:${this.client_secret}`).toString('base64');

Content-Type

required

string

application/x-www-form-urlencoded

Resource Parameter

region

required

string

Set to the region of your OneLogin instance.

  • openid-connect
  • openid-connect-eu
e.g. If your OneLogin instance is located in Europe then use https://openid-connect-eu.onelogin.com/oidc

Request Parameter

grant_type

required

string

Set to “refresh_token”

refresh_token

required

string

Set this to the refresh_token that was returned via the Create a Session with Username/Password or Authorization Code grants.

client_id

string

The OneLogin generated Client ID for your OpenID Connect app.

Required if Token Endpoint Authentication method is set to POST.

client_secret

string

The OneLogin generated Client Secret for your OpenID Connect app.

Required if Token Endpoint Authentication method is set to POST.

Sample Request Body

refresh_token=xxxxx&grant_type=refresh_token

Sample Response

{
    "access_token": "ZTUxMWY5OGUtMGRlYi00ZTNkLThjYWEtYzkzY2U4NDVmMmM5gt4dEytSyyNvsA4wragMwLMTa...",
    "expires_in": 3600,
    "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkpSY080bnhzNWpnYzhZZE43STJoTE80V...",
    "refresh_token": "ZWM0MTI1NzktNjE1My00OTRkLWE2OWMtMWFmOGRlNzA1ZDQ2LqQ6dEuxfqsf9....",
    "token_type": "Bearer"
}

Probably an invalid client_id

{
    "error": "invalid_request",
    "error_description": "Resource not found"
}

The grant_type MUST be set to refresh_token

{
    "error": "unsupported_grant_type",
    "error_description": "unsupported grant_type requested (xxxx)"
}

The authorization header is invalid

{
    "error": "invalid_request",
    "error_description": "invalid authorization header value format"
}
{
    "error": "invalid_request",
    "error_description": "Authentication Failed"
}
{
    "error": "invalid_request",
    "error_description": "User is locked. Access is unauthorized"
}
{
    "error": "invalid_request",
    "error_description": "User is suspended. Access is unauthorized"
}
{
    "error": "invalid_request",
    "error_description": "Access is unauthorized"
}

Response Elements

access_token The token that represents the session that has just been created for the user.
expires_in The number of seconds until the session expires
id_token A JWT containing user and scope information for this session
refresh_token The token that should be used to refresh the session again
token_type The type of access token. Always set to “Bearer”

Sample Code

cURL

Replace sample values indicated by < > with your actual values.

curl -XPOST "https://<region>.onelogin.com/oidc/token" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&refresh_token=<refresh token>"

Postman Collection

Replace sample variables indicated by {{ }} with your actual values.

Download for the OpenId Connect API


Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.

StackOverflow discussions about "[onelogin] openid connect"

  • 6
    Votes

    A: SAML for Native Mobile Apps(Android and IOS)

    Answered Apr 02 2018

    session you've established with an SSO provider) between native apps that also support SAML the same way. https://spin.atomicobject.com/2016/09/01/sharing-web-data-wkwebview/ Basically, if you do this, you'll also be supporting SSO on mobile via SAML (or OpenID Connect, if you go that route) …

  • 5
    Votes
    1
    Answers

    Q: How to use onelogin SSO with AngularJS?

    Asked Jun 20 2016

    questions: 1> Onelogin is using SAML instead of OpenID Connect. I am not asking what's the difference between these two, but what is recommended since everyone is moving towards OpenID Connect? 2> Does Onelogin supports AngularJS? I don't see any documentation for onelogin API with AngularJS & Node See Here … I was looking into Onelogin for SSO. We have applications written in .NET, AngularJS + Node. None of these applications are mobile applications. After going through their documentation I have few …

  • 3
    Votes

    A: Does OneLogin support client session management via OIDC?

    Answered Nov 16 2018

    https://openid.net/specs/openid-connect-session-1_0.html: 2.1. OpenID Provider Discovery Metadata These OpenID Provider Metadata parameters MUST be included in the Server's discovery … responses when Session Management and Discovery are supported: check_session_iframe ... end_session_endpoint ... I don't see these metadata parameters in the OneLogin discovery metadata, so it looks like Session Management is not supported. …

  • 2
    Votes

    A: How to Validate an Access Token for OAuth2 + PCKE flow

    Answered Apr 25 2019

    returned from the auth code flow https://developers.onelogin.com/openid-connect/api/authorization-code-grant worked, and the access_token only returned {"active":false} after it expired. Make sure you are not setting the Authorization header, and only set your client_id in the payload. … I'm using OIDC with PKCE, and I managed to call the https://openid-connect.onelogin.com/oidc/token/introspection endpoint with a token retrieved via the authorization code flow: $ curl -i -d "token …

  • 2
    Votes

    Q: Python/Django library for registering multiple SSO Identity Providers(OpenID Connect)

    Asked Nov 08 2019

    I'm working on a project written in Python(Django) and i recently added an SSO option for logging in with OneLogin accounts. There's already support for Microsofts Azure SSO from an earlier feature … . I'm looking for a library which can somehow register different identity providers(Microsoft, OneLogin, Facebook, etc...) and then wrap the similar login logic into a single class, which would handle …

Loading...