Refresh an Access Token
Deprecation Notice
There is a more recent version of this OpenId Connect API available. Learn more.
This endpoint will be deprecated on November 2nd 2020.
Use this API to refresh the session for a user and generate a new set of access tokens.
Note, when creating a session via Username/Password a refresh_token is only returned when the Refresh Token Timeout period has been set for your OpenId Connect app in the OneLogin portal.
Resource URL
https://<region>.onelogin.com/oidc/tokenHeader Parameter
Authorization string |
Required if Token Endpoint Authentication Method is set to Basic Set to The e.g. Using Node.js this would be |
Content-Type required string | application/x-www-form-urlencoded |
Resource Parameter
region required string |
Set to the
https://openid-connect-eu.onelogin.com/oidc
|
Request Parameter
grant_type required string |
Set to “refresh_token” |
refresh_token required string |
Set this to the |
client_id string |
The OneLogin generated Client ID for your OpenID Connect app. Required if Token Endpoint Authentication method is set to POST. |
client_secret string |
The OneLogin generated Client Secret for your OpenID Connect app. Required if Token Endpoint Authentication method is set to POST. |
Sample Request Body
refresh_token=xxxxx&grant_type=refresh_tokenSample Response
- 200 OK
- 400 Bad Request
- 401 Unauthorized
{
"access_token": "ZTUxMWY5OGUtMGRlYi00ZTNkLThjYWEtYzkzY2U4NDVmMmM5gt4dEytSyyNvsA4wragMwLMTa...",
"expires_in": 3600,
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkpSY080bnhzNWpnYzhZZE43STJoTE80V...",
"refresh_token": "ZWM0MTI1NzktNjE1My00OTRkLWE2OWMtMWFmOGRlNzA1ZDQ2LqQ6dEuxfqsf9....",
"token_type": "Bearer"
}Probably an invalid client_id
{
"error": "invalid_request",
"error_description": "Resource not found"
}The grant_type MUST be set to refresh_token
{
"error": "unsupported_grant_type",
"error_description": "unsupported grant_type requested (xxxx)"
}The authorization header is invalid
{
"error": "invalid_request",
"error_description": "invalid authorization header value format"
}{
"error": "invalid_request",
"error_description": "Authentication Failed"
}{
"error": "invalid_request",
"error_description": "User is locked. Access is unauthorized"
}{
"error": "invalid_request",
"error_description": "User is suspended. Access is unauthorized"
}{
"error": "invalid_request",
"error_description": "Access is unauthorized"
}Response Elements
access_token |
The token that represents the session that has just been created for the user. |
expires_in |
The number of seconds until the session expires |
id_token |
A JWT containing user and scope information for this session |
refresh_token |
The token that should be used to refresh the session again |
token_type |
The type of access token. Always set to “Bearer” |
Sample Code
cURL
Replace sample values indicated by < > with your actual values.
curl -XPOST "https://<region>.onelogin.com/oidc/token" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&refresh_token=<refresh token>"
Postman Collection
Replace sample variables indicated by {{ }} with your actual values.
Download for the OpenId Connect API
Have a Question?
Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.
Found a bug? Submit a support ticket.
Have a product idea or request? Share it with us in our Ideas Portal.
StackOverflow discussions about "[onelogin] openid connect"
-
A: SAML for Native Mobile Apps(Android and IOS)
Answered Apr 02 2018session you've established with an SSO provider) between native apps that also support SAML the same way. https://spin.atomicobject.com/2016/09/01/sharing-web-data-wkwebview/ Basically, if you do this, you'll also be supporting SSO on mobile via SAML (or OpenID Connect, if you go that route) …
-
Q: How to use onelogin SSO with AngularJS?
Asked Jun 20 2016questions: 1> Onelogin is using SAML instead of OpenID Connect. I am not asking what's the difference between these two, but what is recommended since everyone is moving towards OpenID Connect? 2> Does Onelogin supports AngularJS? I don't see any documentation for onelogin API with AngularJS & Node See Here … I was looking into Onelogin for SSO. We have applications written in .NET, AngularJS + Node. None of these applications are mobile applications. After going through their documentation I have few …
-
A: Does OneLogin support client session management via OIDC?
Answered Nov 16 2018https://openid.net/specs/openid-connect-session-1_0.html: 2.1. OpenID Provider Discovery Metadata These OpenID Provider Metadata parameters MUST be included in the Server's discovery … responses when Session Management and Discovery are supported: check_session_iframe ... end_session_endpoint ... I don't see these metadata parameters in the OneLogin discovery metadata, so it looks like Session Management is not supported. …
-
A: How to Validate an Access Token for OAuth2 + PCKE flow
Answered Apr 25 2019returned from the auth code flow https://developers.onelogin.com/openid-connect/api/authorization-code-grant worked, and the access_token only returned {"active":false} after it expired. Make sure you are not setting the Authorization header, and only set your client_id in the payload. … I'm using OIDC with PKCE, and I managed to call the https://openid-connect.onelogin.com/oidc/token/introspection endpoint with a token retrieved via the authorization code flow: $ curl -i -d "token …
-
Q: Python/Django library for registering multiple SSO Identity Providers(OpenID Connect)
Asked Nov 08 2019I'm working on a project written in Python(Django) and i recently added an SSO option for logging in with OneLogin accounts. There's already support for Microsofts Azure SSO from an earlier feature … . I'm looking for a library which can somehow register different identity providers(Microsoft, OneLogin, Facebook, etc...) and then wrap the similar login logic into a single class, which would handle …
Loading...