Refresh token returned from Postman, but not Angular2 call

I have an Angular2 SPA which directs a user through an authorization code process for a 3rd party application. After the user logs in and authorizes the 3rd party application, I use the returned code and try to create an access_token and refresh_token. My authorize call:

https://my_tenet/authorize?audience=my_audience&scope=read:reap create:reap offline_access&response_type=code&client_id=my_client_id&redirect_uri=http://localhost:4200/dashboard&state=asdf&prompt=login

My oauth/token SPA call:

export class AuthenticationService {
constructor(private http: HttpClient) { }

createToken(code: string) : Promise<HttpResponse<any>> {
    const payload = new HttpParams()
        .set('grant_type', 'authorization_code')
        .set('client_id', 'my_client_id)
        .set('client_secret', 'my_client_secret')
        .set('code', code)
        .set('redirect_uri', 'http://localhost:4200/dashboard')

    return<any>(https://my_tenet/oauth/token', payload, { observe: 'response' })


The above response returns everything except the refresh_token:


Now when I make the same create token call via Postman, it does return the refresh_token:

Am I missing something obvious as to why the refresh token is being left off the SPA app call? I am kicking off the /authorize process the same for both workflows (SPA vs Postman) in order to get the authorization code.

You don’t get refresh tokens from applications running in a browser as there isn’t any secure and persistent store for them. You can still use Refresh Token Rotation as it is discussed here. Refresh Token Rotation

1 Like

Ah okay this makes sense. Thank you for the info!

Teamwork makes the dreamwork!