I have an Angular2 SPA which directs a user through an authorization code process for a 3rd party application. After the user logs in and authorizes the 3rd party application, I use the returned code and try to create an access_token and refresh_token. My authorize call:
https://my_tenet/authorize?audience=my_audience&scope=read:reap create:reap offline_access&response_type=code&client_id=my_client_id&redirect_uri=http://localhost:4200/dashboard&state=asdf&prompt=login
My oauth/token SPA call:
export class AuthenticationService {
constructor(private http: HttpClient) { }
createToken(code: string) : Promise<HttpResponse<any>> {
debugger
const payload = new HttpParams()
.set('grant_type', 'authorization_code')
.set('client_id', 'my_client_id)
.set('client_secret', 'my_client_secret')
.set('code', code)
.set('redirect_uri', 'http://localhost:4200/dashboard')
return this.http.post<any>(https://my_tenet/oauth/token', payload, { observe: 'response' })
.toPromise();
}
}
The above response returns everything except the refresh_token:
Now when I make the same create token call via Postman, it does return the refresh_token:
Am I missing something obvious as to why the refresh token is being left off the SPA app call? I am kicking off the /authorize process the same for both workflows (SPA vs Postman) in order to get the authorization code.