I first get a refresh token, then try to use this refresh token to retrieve another access token and id token, but get 403 forbidden. I have searched around but not find an answer to that.
I have tried the exactly same post body format with Azure AD and I was able to get the access token and id token using Azure refresh token (see the screenshot below), so I am wondering whether I need configure something else in the Okta IDP to make it work? or it is a defect in Okta?
No issue with Azure AD using refresh token in the same post body format.
is redirect_url the same which was used while getting access_token initially? also double check if scopes are all the same. Also verify that access policy for your AuthZ server allows usage of refresh_token
Yes, I have two authorization servers. One is default, and the other is customized. I used default one above, and below the customized one. Still 403 error.
The refresh token is also from the customized authorization server.
Does refresh_token only work with paid accounts?
It is very strange that I am getting 403 error. I am sure I use the correct client id and client secret as the username and password. If I input an invalid client id, I get “errorCode”: “invalid_client”
I have no problem to get the access token, id token and refresh token using authorization code flow, which means the token endpoint, auth endpoint, client id, client secret, redirect uri and scopes are all accurate.
refresh_token works for sure on all types of accounts, as long as Access Management API feature is enabled for it.
I just ran this scenario on my dev- org and it worked like charm: both refresh and retrospect. You are definitely doing something wrong. Try to parametrize (use placeholders) your requests in Postman, rather than copy/pasting values in
Thanks for checking.
I checked every aspect of the configurations but unfortunately, I didn’t find anything wrong.
I also read the okta help doc regarding the refresh token one more time but nothing helped.
I typed all parameter values except for token value in postman, still getting 403 error.
weird!