Refresh Tokens

Many Identity Providers issue an Access Token in response to the authentication process. You can use an Access Token to make authenticated API calls to an Identity Provider to access additional resources.

However, Access Tokens periodically expire. Many Identity Providers return a Refresh Token, which you can use to get a new Access Token without requiring your user to re-authenticate. You can do this by calling RefreshToken via the LogonLabs Gateway. This will improve your user’s authentication experience, as they will only need to authenticate once.

Please note that Refresh Tokens should be stored securely, as they can be used to keep the user authenticated indefinitely in some cases.

In order to receive a Refresh Token on authentication, Return Authorization Data must be enabled for the Identity Provider.

Supported Identity Providers

The following Identity Providers support Refresh Tokens:

Identity Provider Notes

Each Identity Provider has slightly different behavior for Refresh Tokens, regarding when they are issued and how they should be used. Below is a description of the specific quirks for each Identity Provider.

Access Token Expiry Time: 3600 seconds (1 hour)

A new Refresh Token is returned each time you refresh. Microsoft recommends discarding old Refresh Tokens after they are used.

When “Return Authorization Data” is enabled, the scope “offline_access” is automatically added by LogonLabs in order to return the Access Token.

Access Token Expiry Time: 3536 seconds (1 hour)

A Refresh Token is only returned on the first authentication, so it must be saved at this point.

Only a limited number of Refresh Tokens will be issued, specifically one per client/user combination, and another per user across all clients. Please note that older Refresh Tokens will stop working if too many are requested.

A Refresh Token can be reused multiple times.

When “Return Authorization Data” is enabled, the scope “access_type=offline” is automatically added by LogonLabs in order to return the Access Token.

Access Token Expiry Time: 15551847 seconds (180 days)

A Refresh Token can be re-used for up to 100 days, at which point the user will need to re-authenticate to retrieve a new Refresh Token.

If a user re-authenticates, the newest Refresh Token should be used.

Access Token Expiry Time: 3600 seconds (1 hour)

A Refresh Token can be reused multiple times.

A new Refresh Token is not issued when you refresh

Access Token Expiry Time: 1209600 seconds (14 days)

A Refresh Token can be reused multiple times.

A new Refresh Token is not issued when you refresh.

Access Token Expiry Time: 28800 seconds (8 hours)

A Refresh Token can only be used once.

A new Refresh Token is returned each time you refresh.

Access Token Expiry Time: 7200 seconds (2 hours)

Refresh Tokens are only valid for 90 days.

A new Refresh Token is not issued when you refresh. Consequently, users must re-authenticate every 90 days to get a new valid Access Token.

Access Token Expiry Time: 3600 seconds (1 hour)

In order for Okta to return a Refresh Token, you must enable “Refresh Token” under General Settings for your Okta App. Please see Step 6 on this page to complete this change.

A Refresh Token can be reused multiple times.

A new Refresh Token is returned each time you refresh. Okta recommends discarding old Refresh Tokens after they are used.

When “Return Authorization Data” is enabled, the scope “offline_mode” is automatically added by LogonLabs in order to return the Access Token.

Access Token Expiry Time: 3600 seconds (1 hour)

A Refresh Token can be reused multiple times.

A new Refresh Token is returned each time you refresh. OneLogin recommends discarding old Refresh Tokens after they are used.