See openid-connect Menu

Refresh a Session


Use this API to refresh the session for a user and generate a new set of access tokens.

Note, when creating a session via Username/Password a refresh_token is only returned when the Refresh Token Timeout period has been set for your OpenId Connect app in the OneLogin portal.

Resource URL

https://<subdomain>.onelogin.com/oidc/token

Header Parameter

Authorization

required

string

Set to Basic <base64 encoded "clientId:clientSecret">.

The client_id and client_secret are generated when you configure your OpenId Connect app in OneLogin.

e.g. Using Node.js this would be

new Buffer(`${this.client_id}:${this.client_secret}`).toString('base64');

Content-Type

required

string

application/x-www-form-urlencoded

Resource Parameter

subdomain

required

integer

Set to the subdomain of your OneLogin instance.

e.g. oidc-sample where the instance is https://oidc-sample.onelogin.com

Request Parameter

grant_type

required

string

Set to “refresh_token”

refresh_token

required

string

Set this to the refresh_token that was returned via the Create a Session with Username/Password or Authorization Code grants.

Sample Request Body

refresh_token=xxxxx&grant_type=refresh_token

Sample Response

{
    "access_token": "ZTUxMWY5OGUtMGRlYi00ZTNkLThjYWEtYzkzY2U4NDVmMmM5gt4dEytSyyNvsA4wragMwLMTa...",
    "expires_in": 3600,
    "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkpSY080bnhzNWpnYzhZZE43STJoTE80V...",
    "refresh_token": "ZWM0MTI1NzktNjE1My00OTRkLWE2OWMtMWFmOGRlNzA1ZDQ2LqQ6dEuxfqsf9....",
    "token_type": "Bearer"
}

Probably an invalid client_id

{
    "error": "invalid_request",
    "error_description": "Resource not found"
}

The grant_type MUST be set to refresh_token

{
    "error": "unsupported_grant_type",
    "error_description": "unsupported grant_type requested (xxxx)"
}

The authorization header is invalid

{
    "error": "invalid_request",
    "error_description": "invalid authorization header value format"
}
{
    "error": "invalid_request",
    "error_description": "Authentication Failed"
}
{
    "error": "invalid_request",
    "error_description": "User is locked. Access is unauthorized"
}
{
    "error": "invalid_request",
    "error_description": "User is suspended. Access is unauthorized"
}
{
    "error": "invalid_request",
    "error_description": "Access is unauthorized"
}

Response Elements

access_token The token that represents the session that has just been created for the user.
expires_in The number of seconds until the session expires
id_token A JWT containing user and scope information for this session
refresh_token The token that should be used to refresh the session again
token_type The type of access token. Always set to “Bearer”

Sample Code

cURL

Replace sample values indicated by < > with your actual values.

curl -XPOST "https://<subdomain>.onelogin.com/oidc/token" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&refresh_token=<refresh token>"


Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.