K
Kinde2mo ago
Matt

Device Flow and refresh tokens

I'm implementing the device flow for an Adobe plugin - am using device flow as there is no easy way to handle the PKCE callback inside the plugin sandbox, so my option are limited. Everything works fine, except the device flow is not returning me arefresh_token to use, so I have to make the users go through the enter code/sign in/confirm app process every time the access_token expires Most other IdP's seem to support a long lifetime refresh token as well as the access token, and often also some way to revoke the refresh token for a device. Is this approach not supported in Kinde, or am I missing something in setup that would provide me with a refresh_token?
8 Replies
Koosha-Kinde
Koosha-Kinde2mo ago
Hi, Matt.. Thanks for reaching out,

Let me cross check that and get back to you shortly. Thanks
Matt
MattOP2mo ago
any luck checking this one out?
Koosha-Kinde
Koosha-Kinde2mo ago
Hi Matt,

Yes, Kinde supports refresh tokens in the Device Authorization Flow.
If you’re not getting a refresh_token, the missing piece is usually the offline scope and enabling Offline Access for your API.

Do this: 1. Request the device code with the offline scope: 
curl -X POST https://<your-subdomain>.kinde.com/oauth2/device/auth \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "client_id=<YOUR_CLIENT_ID>&scope=openid profile email offline"
curl -X POST https://<your-subdomain>.kinde.com/oauth2/device/auth \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "client_id=<YOUR_CLIENT_ID>&scope=openid profile email offline"
When the user completes verification, polling the token endpoint will return both access_token and (because of offline) a refresh_token. 2. Enable Offline Access for your API
In Kinde: Settings → APIs → your API → enable “Offline Access.” This is required for refresh tokens to be issued. 3. Refresh silently using the refresh token 
curl -X POST https://<your-subdomain>.kinde.com/oauth2/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=refresh_token&client_id=<YOUR_CLIENT_ID>&refresh_token=<REFRESH_TOKEN>"
curl -X POST https://<your-subdomain>.kinde.com/oauth2/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=refresh_token&client_id=<YOUR_CLIENT_ID>&refresh_token=<REFRESH_TOKEN>"
Kinde rotates refresh tokens automatically (you’ll get a new one each time; the old one becomes invalid). Notes - The scope name is offline (not offline_access). - You can adjust token lifetimes per app under Settings → Applications → Tokens. If you still don’t see a refresh_token, please share the device-code request and token-response (without secrets) and we’ll double-check your scopes and app/API settings. Let me know if this helps, Thanks
Matt
MattOP2mo ago
Thanks Abdiwak, I just went to enable offline, but there's no UI option for me to do so as per your instructions above. I'm using a free plan while building my app, and it won't let me add a custom scope called offline manually either - says I need a paid plan. So I had a look at the options for setting this up in a paid plan (Pro-tier) and it also won't let me add scopes - the message is get is that I need to upgrade to a paid plan (doens't specify what type of paid plan), so is this offline functionality not available until I get to the Plus tier? Even though offline is a standard scope, not a custom one?
Michael Esteves
Michael Esteves2mo ago
@Matt I just tried this without actually setting any scopes in the UI. Just included the scope=openid profile email offline and I got a refresh token. If you haven't already might be worth just trying it
Koosha-Kinde
Koosha-Kinde2mo ago
Hi Matt, offline is a built-in scope (works on Free), not a custom one. Just include it in your Device Flow request (scope=openid profile email offline) and you’ll receive a refresh_token. If you don’t, send me your device/auth request and token response (redacted) and I’ll check the params.

FYI: refresh tokens rotate, store the new one after each refresh.

Let me know, Thanks
Matt
MattOP2mo ago
Well, that makes sense, and i feel a bit dumb for not just trying that out tbh. I’ll give it a shot. Thanks to both of you OK, I have tested it and got it returning a refresh_token. Once thing to note - the scope passed to the https://${KINDE_CONFIG.domain}/oauth2/device/auth endpoint to init the device flow must contain the offline scope ONLY, and not the other built in scopes openid profile email as that then returns a 400.
Koosha-Kinde
Koosha-Kinde2mo ago
Thanks for that Matt, you’re right. For Device Authorization Flow, send only offline (no openid profile email) when you call the device auth endpoint. OIDC scopes aren’t used in this flow and can trigger a 400.

Then poll /oauth2/token as normal, you’ll get an access_token and a refresh_token. You can adjust token lifetimes later in your app’s token settings. Let me know if you have any questions, Thanks

Did you find this page helpful?