Create a fresh new access token using refresh token using thephpleague/oauth2-server

Question

I'm facing some problems to wrap my mind about oAuth 2.0. Particularly, thephpleague/oauth2-server implementation.

I managed to set up an endpoint to create access tokens using Password grant type. This is, when someone do a POST /auth, they get the following answer:

{
    "access_token": "hleVw03Fx4hVsaCqEmFqcXeks0hsDTkNSxMN17NR",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "GD8kT7JfGULhUKSTSBsF7AO6NaIXrqPS0dlyQjTm"
}

What I want to do now, is generate a new token when the access_token gets expired. I understand that I should use the refresh_token to ask for a fresh new token. However, I didn't find any documentation to start with.

score 2 · Accepted Answer · edited Oct 07 '21 at 11:04

You can use the Refresh Grant type to get a new access token. It is a standardized flow that is described in the spec here: https://www.rfc-editor.org/rfc/rfc6749#section-6. An example request to the token endpoint (taken from the spec) would look like:

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA

In this case the client authenticates itself with Basic Authentication to the token endpoint using its client_id and client_secret. In commandline cURL it would look like:

curl -u "${CLIENT_ID}:${CLIENT_SECRET}" -d "grant_type=refresh_token&refresh_token=${REFRESH_TOKEN}"

Create a fresh new access token using refresh token using thephpleague/oauth2-server

1 Answers1