Refresh tokens Identity Server4

Question

We are using Identity Server4 to protect our APIs. We want to use Refresh tokens to allow gaining long lived access to APIs.As per the documents("http://docs.identityserver.io/en/release/index.html") we have set the AllowOfflineAccess to true but still its not working. After AccessTokenLifeTime expire(3600 seconds), token not working. Here is the client:

 return new List<Client>
         {
         new Client
        {
        ClientId = "client",

        // no interactive user, use the clientid/secret for authentication
            AllowedGrantTypes = GrantTypes.ClientCredentials,

        // secret for authentication
            ClientSecrets =
            {
            new Secret("secret".Sha256())
            },

        // scopes that client has access to
            AllowedScopes = { "api1" },
            AccessTokenLifetime=3600,
            AllowOfflineAccess=true
    }

Answer 1

The client app has to request the refresh token.

Please note that refresh tokens are not available for every flow:

Refresh tokens are supported in hybrid, authorization code and resource owner password flows. To request a refresh token, the client needs to include the offline_access scope in the token request (and must be authorized to request for that scope).

Add this line to your client code:

.AddOpenIdConnect("oidc", "Open Id connect", options =>
{
    options.Scope.Add("offline_access");
}

The way refresh tokens work:

• Login to get an access token. The refresh token is included when you use the 'offline_access' scope.
• Use the access token untill it expires.
• Get a new access token by sending the refresh token to the endpoint
• Depending on your strategy you can also 'refresh' the refresh token itself (replace the persisted refresh token with a new token). Or do not return a refresh token untill the token expires, having the user to login again.