How to Refresh an Access Token Using a Refresh Token
Some OAuth grant types return a refresh_token along with an access_token. Refresh tokens have a much longer expiration time than access_tokens and as such can be used to obtain a new access_token when the current one expires.
To use a refresh_token to obtain a new access_token, a request is sent to the token_endpoint specified in the OpenId Connect Discovery document with the following configuation for the request:
* The request method is POST.
* The request body is
x-www-form-urlencoded consisting of:
refresh_token= followed by the refresh_token
* An HTTP Authorization header formatted in the HTTP Basic Auth format with the client_id and client_secret serving as the userid and password.
The curl command to revoke a token is as follows:
curl -X POST --basic -u "<client_id>:<client_secret>" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=refresh_token&refresh_token=<refresh_token>" https://api.byu.edu/token
Note: Refresh_tokens can only be used once. A new refresh_token will be returned along with the new access_token.