I'm facing some problems to wrap my mind about oAuth 2.0. Particularly, thephpleague/oauth2-server implementation.
I managed to set up an endpoint to create access tokens using Password grant type. This is, when someone do a POST /auth, they get the following answer:
{
"access_token": "hleVw03Fx4hVsaCqEmFqcXeks0hsDTkNSxMN17NR",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "GD8kT7JfGULhUKSTSBsF7AO6NaIXrqPS0dlyQjTm"
}
What I want to do now, is generate a new token when the access_token gets expired. I understand that I should use the refresh_token to ask for a fresh new token. However, I didn't find any documentation to start with.
You can use the Refresh Grant type to get a new access token. It is a standardized flow that is described in the spec here: https://www.rfc-editor.org/rfc/rfc6749#section-6. An example request to the token endpoint (taken from the spec) would look like:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
In this case the client authenticates itself with Basic Authentication to the token endpoint using its client_id and client_secret. In commandline cURL it would look like:
curl -u "${CLIENT_ID}:${CLIENT_SECRET}" -d "grant_type=refresh_token&refresh_token=${REFRESH_TOKEN}"