How to generate Refresh Token with as SAML external IDP?

Not applicable

We are using external SAMl token to issue an APIGEE token after validating the SAML token.

After validating the token, we are using the below policy to generate the apigee access token. I understand from other blogs and community that when we use Client Credentials as grant type, we will not be having any Refresh token generated.

What Grant type makes more sense to generate the access token in this case? we need the refresh token also to be generated along with the access token.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OA_GenerateAccessTokenSAML">
    <DisplayName>OA_GenerateAccessTokenSAML</DisplayName>
    <Operation>GenerateAccessToken</Operation>
    <ExpiresIn ref="saml_sessionTimeRemaining">3600000</ExpiresIn>
    <!--<ref></ref></ExpiresIn>-->
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <Attributes>
        <Attribute name="UPN" ref="upn"/>
    </Attributes>
    <Attributes>
        <Attribute name="email" ref="email"/>
    </Attributes>
    <GenerateResponse enabled="false"/>
    <GenerateErrorResponse enabled="true"/>
</OAuthV2>

thank you

0 1 4,163
1 REPLY 1

srinandans
Staff

You're using the client credential grant type. This grant type does not have a refresh token.

The RFC that describes the exchange of a SAML Assertion to an access token is described here: https://tools.ietf.org/html/rfc7522. The SAML Bearer Assertion Grant type also does not have a refresh token.

That said, if you really must have a refresh token, then try using the password grant. Extract the user identity from the assertion and use that as the username.

0 0 6
Top Labels in this Space
Top Solution Authors