Apache OpenID Connect refreshing token early

Question

I'm using mod_auth_openidc on my resource server with ORY HYDRA on the OAuth provider and a custom login & consent provider. OpenID Connect flows properly through login and consent and directs back to the resource server, and the session persists for some time (seems to be about 30 minutes - maybe shorter with inactivity). After that time, the next request the client makes is directed back to the login and consent provider, even if the id token has not expired. My OAuth provider definitely remembers the session because it immediately passes the client back to the resource server, but with a new token.

As an example, I began a session at 1587483280 and was issued a token with an expiration time of 1587486880. The session persisted and I was able to navigate around the resource server without being redirected to the login and consent provider. After about 10 minutes of inactivity, the next page load directed me to the login and consent provider, which immediately sent me back to the resource server with a new token with an issue time of 1587485777 and an expiry time of 1587489377. I can also see that I have a new auth_openidc session ID.

I'm very new to OAuth, so I'm not really sure where to start troubleshooting this. Can anybody recommend a starting point?

Answer 1

You need to add scope=offline to be able to get a refresh token.

There is some additional information to this https://www.ory.sh/hydra/docs/debugging/#oauth-20-refresh-token-is-missing