You can request refresh_token by asking for offline scope in your request to /authorize.
Again, I suggest you to get a better understanding of OIDC flows, as it’s not the purpose of Okta documentation to educate you in OIDC. You would not expect a 101-level explanation from API reference documentation, would you?
Thank you so much. I successfully adopted the refresh token in our application. Whenever we need to extend the session, we just call token with current refresh token to rotate it with a new refresh token. Once refresh token is rotated, access token and id token is updated as well. Thus, the issue is resolved. Thank you so much for the help. Now I have a better understanding of OIDC.
The last question is about the Okta functionality. Our existing authentication system has a method allowing the caller to get all users’ information. Does Okta has a method so that the caller can get all registered users of an application?
Again, thank you very much!
This is available with the help of Management API. You’d need a service account with specific privileges and an API token generated for this account
Thank you very much. This is very encouraging. Would you please pointing out some online help about how to implement this? Our situation is a want of develop a REST API that would be called by any normal users who are authenticated by Okta. The REST API will return profiles (email addresses only for example) of all users under an Application. Is this feasible? Thanks!
I don’t know if it’s covered anywhere in great details, so the only one thing I can share is Users API - Users | Okta Developer where you can find how to search and get user details.
Part which is not covered, but you can google for it is:
Maybe other community members have something ready to share