Our idea is to use our own httponly strict cookie with access and refresh token in it for our mi croservices architecture.
We are primary using Authentication API to log users with our own custom Sign Page.
We were able to get the access_token on the authorize endpoint using the responsetype=token with sessionToken and redirecting the result as a form_post on our back end endpoint.
I was unable to retrieve the refresh_token despite adding the offline_access in the scope even if it is checked in my application setting.
I don’t want to use resource password flow since we prefer using sessionToken which will work with multi factor if needed in the future.
I also try using the code flow and redirecting the result on our back end but since the code flow need the client it’s return this error "PKCE code verifier is required when the token endpoint authentication method is ‘NONE’." This error occur even if we choose a .NET application
How can we achieve retrieving the refresh_token server-side ?
@pld aside from making a call directly to /token with your access token, you can also check our Early Access feature called Refresh Token Rotation. Let us know if this helps!
@sigama
I can’t use the access_token to get a refresh_token it’s make no sense.
And the code flow doesn’t seem to work with the sessionToken to retrieve both refresh And access_token on the authorize endpoint.
/token endpoint need a CODE to retrieve both refresh and access token
I was able to use the CODE flow and redirect from server-side to the authorized endpoint like so:
https://{YOUROKTADOMAIN}/oauth2/default/v1/authorize?client_id={YOURCLIENTID}&response_type=code&scope=openid%20offline_access&response_mode=query&redirect_uri={YOURSERVERSIDEGETURI}&state={Guid.NewGuid()}&sessionToken={SessionToken From Auth API}
This call will post back to my same server controller so i can handle token myself and create my own cookie.