fix: refresh token activation (#1795)

* fix: oidc grant type check * docs: add offline_access scope * docs: update refresh token status in supported grant types * fix: update oidc pkg
2025-08-11 18:07:31 +00:00 · 2021-05-31 11:06:01 +02:00
parent 1f41cc5ca8
commit f8ab1f5b7b
10 changed files with 98 additions and 15 deletions
--- a/docs/docs/apis/openidoauth/endpoints.md
+++ b/docs/docs/apis/openidoauth/endpoints.md
@@ -139,6 +139,46 @@ curl --request POST \
  --data client_assertion=eyJhbGciOiJSUzI1Ni...
 ```

+### Refresh Token Grant
+
+---
+
+Required request Parameters
+
+| Parameter     | Description                                                                         |
+| ------------- | ----------------------------------------------------------------------------------- |
+| grant_type    | Must be `refresh_token`                                                             |
+| refresh_token | The refresh_token previously issued in the last auth code or refresh token request. |
+| scope         | [Scopes](Scopes) you would like to request from ZITADEL for the new access_token. Must be a subset of the scope originally requested by the corresponding auth request. When omitted, the scopes requested by the original auth request will be reused. Scopes are space delimited, e.g. `openid email profile` |
+
+Depending on your authorization method you will have to provide additional parameters or headers:
+
+When using `client_secret_basic`
+
+Send your `client_id` and `client_secret` as Basic Auth Header. Check [Client Secret Basic Auth Method](authn-methods#client-secret-basic) on how to build it correctly.
+
+When using `client_secret_post`
+
+Send your `client_id` and `client_secret` as parameters in the body:
+
+| Parameter     | Description                      |
+| ------------- | -------------------------------- |
+| client_id     | client_id of the application     |
+| client_secret | client_secret of the application |
+
+When using `none` (PKCE)
+
+Send your `client_id` as parameter in the body. No authentication is required.
+
+When using `private_key_jwt`
+
+Send a client assertion as JWT for us to validate the signature against the registered public key.
+
+| Parameter             | Description                                                                                                     |
+| --------------------- | --------------------------------------------------------------------------------------------------------------- |
+| client_assertion      | JWT built and signed according to [Using JWTs for Client Authentication](authn-methods#jwt-with-private-key) |
+| client_assertion_type | Must be `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`                                                |
+
 ## introspection_endpoint

 [https://api.zitadel.ch/oauth/v2/introspect](https://api.zitadel.ch/oauth/v2/introspect)
--- a/docs/docs/apis/openidoauth/grant-types.md
+++ b/docs/docs/apis/openidoauth/grant-types.md
@@ -12,7 +12,7 @@ For a list of supported or unsupported `Grant Types` please have a look at the t
 | Device Authorization                                  | under consideration |
 | Implicit                                              | yes                 |
 | JSON Web Token (JWT) Profile                          | yes                 |
-| Refresh Token                                         | work in progress    |
+| Refresh Token                                         | yes                 |
 | Resource Owner Password Credentials                   | no                  |
 | Security Assertion Markup Language (SAML) 2.0 Profile | no                  |
 | Token Exchange                                        | work in progress    |
--- a/docs/docs/apis/openidoauth/scopes.md
+++ b/docs/docs/apis/openidoauth/scopes.md
@@ -6,12 +6,13 @@ ZITADEL supports the usage of scopes as way of requesting information from the I

 ## Standard Scopes

-| Scopes  | Example   | Description                                          |
-|:--------|:----------|------------------------------------------------------|
-| openid  | `openid`  | When using openid connect this is a mandatory scope  |
-| profile | `profile` | Optional scope to request the profile of the subject |
-| email   | `email`   | Optional scope to request the email of the subject   |
-| address | `address` | Optional scope to request the address of the subject |
+| Scopes         | Example          | Description                                                                    |
+|:---------------|:-----------------|--------------------------------------------------------------------------------|
+| openid         | `openid`         | When using openid connect this is a mandatory scope                            |
+| profile        | `profile`        | Optional scope to request the profile of the subject                           |
+| email          | `email`          | Optional scope to request the email of the subject                             |
+| address        | `address`        | Optional scope to request the address of the subject                           |
+| offline_access | `offline_access` | Optional scope to request a refresh_token (only possible when using code flow) |

 ## Custom Scopes