Okta SCIM OAuth integration failure with refresh_token

I’m testing SCIM Integration.
Configured app for SCIM with OAuth authorization code flow.
Test authorization is working great, but after a while,
I observe following issue:
Microsoft.AspNetCore.Hosting.Diagnostics|Request starting HTTP/1.1 POST https://***..com/connect/token - application/x-www-form-urlencoded 93

OpenIddict.Server.OpenIddictServerDispatcher|The token request was successfully extracted: {
“grant_type”: “refresh_token”,
“client_secret”: “[redacted]”,
“client_id”: “********SCIM”

OpenIddict.Server.OpenIddictServerDispatcher|The token request was rejected because the mandatory ‘refresh_token’ parameter was missing

OpenIddict.Server.OpenIddictServerDispatcher|The response was successfully returned as a JSON document: {
“error”: “invalid_request”,
“error_description”: “The mandatory ‘refresh_token’ parameter is missing.”,
“error_uri”: “Error description

I do not think it is on my side, but on okta’s.

Can anybody explain what can be done to fix this issue?
This request is kind urgent.

Hi @bespalov! And are you passing in the offline_access scope in your /authorize request as per Refresh access tokens | Okta Developer?

the mentioned call comes from Okta!
“grant_type”: “refresh_token”,
“client_secret”: “[redacted]”,
“client_id”: “********SCIM”

Yes sure, if i make this call myself:

Example from my local instance:

POST /connect/token HTTP/2
Host: *******host.com
content-type: application/x-www-form-urlencoded
user-agent: insomnia/8.5.1
accept: /
content-length: 126

  • TLSv1.2 (OUT), TLS header, Supplemental data (23):

| grant_type=client_credentials&client_id=********SCIM&client_secret=secret&scope=openid+offline_access

“access_token”: “[redacted]”,
“token_type”: “Bearer”,
“expires_in”: 3600,
“id_token”: “[redacted]”,
“refresh_token”: “[redacted]”

Could you also confirm if you’re hosting the server on Okta, or if the SCIM server is hosted elsewhere?

If you are using Okta, you should simply request offline_access. However, if you are using a different platform, the process may be more complex as we’re unfamiliar with how your server operates and whether it supports the refresh token.

Generally, adding offline_access should resolve the issue. However, some authorization servers include offline access as a default scope and therefore doesn’t need to be requested. You can find more information on this topic in our article: Okta Help Center (Lightning)

1 Like