Not returning Refresh Token from Password Flow

I am sending a request to /oauth/token with

grant_type password
clientid (client has refresh token password grant)
scope openid email offline_access
audience (api allows offline access)

I get back
scope openid email

Can anyone thing of something I am missing. I would expect a refresh token to be returned as well.


According to the doc:

To refresh your token, using the refresh_token you already got during authorization, make a POST request to the /oauth/token endpoint in the Authentication API, using grant_type=refresh_token

Agreed and I believe I have configured everything properly however the oauth/token endpoint doesn’t return a refresh_token. I do notice the scope is being returned without the offline_access so it is being stripped out for some reason I believe. The client has the grant for offline_access and the api has the feature turned on.


According to the documentation, order to get the refresh token the grant_type should be refresh_token but in the Postman query above you’re using password

It ended up being a rule that was stripping the offline_access scope on the original /token call. My fault. Thanks for the help! Moral of the story, if you are getting interesting behavior check your rules!

The forum wouldn’t let me post twice in a row so sorry you wasted your time.