Hi I may be understanding wrong the purpose of a refresh token but If I configure in okta that refresh token will never expire and use the endpoint to get a refresh token should I receive always the same refresh token?
I am using v1/token endpoint to get a refresh token but this seems to be returning different values in different environments…I am confused about this behavior.
If the refresh_token can change, what’s the proper way of getting a refresh_token
If it is something like a new code for a user, or resource owner’s username and password, you will get a different refresh token. If you are using the refresh grant, then you should be getting back the same token. Does that make sense?
You need to request the offline_access scope during the initial OAuth flow. If you do that, you’ll get a refresh token (in addition to access and ID tokens). See here: How to get a refresh token