TelenorID+ Token Refresh
Refresh tokens are typically longer-lived and can be used to request new access tokens after the shorter-lived access tokens expire.
It is only specific client types that can get Refresh tokens and you need to include the offline_access scope when you initiate the authentication request.
The client will only get a new refresh token if the SSO session still is active.
Refresh token lifetime
The lifetime of a refresh token is defined by the refresh policy in TelenorID+.
The Client can, if the policy allows it, retrieve new refresh tokens through the token endpoint with grant_type=refresh_token
TelenorID+ Refresh policies
| Policy | Description | Sliding* | Lifetime | Client type |
|---|---|---|---|---|
NoRefresh |
Can’t refresh, no refresh token is provided to client | N/A | N/A | Public |
Confidential |
The refresh token can only be used for 14 days, new token must be collected through a login | NO | 14 days | Confidential |
Mobile |
The token can be refreshed and a new 90’days token will be provided | YES | 90 days | MobileApp |
PublicWeb |
The token can be refreshed and a new 10 min token will be provided | YES | 10 min | PublicWithRefresh |
Web |
same as PublicWeb | YES | 10 min | PublicWithRefresh |
- *Sliding = YES → when refreshing the token, the lifetime of the refresh token will be renewed
- *Sliding = NO → the refresh token will expire on a fixed point in time
Get refresh_token
To get a refresh token, you must include the offline_access scope when you initiate an authentication request through the authorize endpoint.
Once the user authenticates successfully, the application will be redirected to the redirect_uri, with an authorization code . You can exchange this code with an access token using the /token endpoint.
The response should contain an access token, id token and a refresh token.
Use refresh_token
You should only ask for a new token if the access_token has expired or you want to refresh the claims contained in the id_token.
For example, it’s bad practice to call the endpoint to get a new access_token every time you call an API.
To exchange the refresh_token you received during authorization for a new access_token, make a POST request to the /token endpoint using grant_type=refresh_token