OIDC-conformant Refresh Token use

Adoption Guide

This document is part of the adoption guide for OIDC-conformant authentication. If you haven't already, we strongly suggest reading the introduction before reading this document.

There are some changes to how Refresh Tokens are used in the OIDC-conformant authentication pipeline:

  • Using the implicit grant for authentication will no longer return Refresh Tokens. Use silent authentication (such as prompt=none) instead.
  • Refresh Tokens should only be used by confidential applications. However, they can also be used by Native (public) applications to obtain Refresh Tokens for mobile apps.
  • The /delegation endpoint is deprecated. To obtain new tokens from a Refresh Token, the /oauth/token endpoint should be used instead:

Please note that Refresh Tokens must be kept confidential in transit and storage, and they should be shared only among the authorization server and the client to whom the Refresh Tokens were issued.

Further reading