How to Refresh an Access Token Using a Refresh Token

Some OAuth grant types return a refresh_token along with an access_token. Refresh tokens have a much longer expiration time than access_tokens and as such can be used to obtain a new access_token when the current one expires.

To use a refresh_token to obtain a new access_token, a request is sent to the token_endpoint specified in the OpenId Connect Discovery document with the following configuation for the request: * The request method is POST. * The request body is x-www-form-urlencoded consisting of: * grant_type=refresh_token * refresh_token= followed by the refresh_token
* An HTTP Authorization header formatted in the HTTP Basic Auth format with the client_id and client_secret serving as the userid and password.

The curl command to revoke a token is as follows:

curl -X POST --basic -u "<client_id>:<client_secret>" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=refresh_token&refresh_token=<refresh_token>" https://api.byu.edu/token

Note: Refresh_tokens can only be used once. A new refresh_token will be returned along with the new access_token.