Refresh Token Grant
Token Request
The response of token request should contain access token and refresh token.
{
"access_token": "etMv23....429hiU32Hri",
"refresh_token": "GEbRxBN...edjnXbL",
"token_type": "Bearer"
}
Use a Refresh Token:
To exchange the Refresh Token you received for a new Access Token, make a POST request to the token endpoint, using grant_type=refresh_token as follows.
POST http://<wp_base_url>/wp-json/moserver/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&
client_id={client_id}&
client_secret={client_secret}&
refresh_token={refresh_token}
Here, is the description for each request parameter.
-
grant_type=refresh_token :
This tells the server we’re using the refresh token grant type. -
client_id :
The public identifier of the application that the developer obtained during registration. -
client_secret :
The client secret provided by the OAuth provider. -
refresh_token :
The refresh token to use.
- cURL
- Postman
- C#
- Java
- PHP
- Python
curl -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=refresh_token&client_id=<your-client-id>&client_secret=<your-client-secret>&refresh_token=<refresh-token>" http://<your-wordpress-domain-name>/wptest/wordpress/wp-json/moserver/token
Click here to download POSTMAN collection export
String getRefreshedAccessToken()
{
var httpWebRequest = (HttpWebRequest)WebRequest.Create("http://YOUR_DOMAIN/wp-json/moserver/token");
httpWebRequest.ContentType = "application/json";
httpWebRequest.Method = "POST";
using (var streamWriter = new StreamWriter(httpWebRequest.GetRequestStream()))
{
string json = JsonConvert.SerializeObject(new
{
grant_type = "refresh_token",
client_id = "<<YOUR CLIENT_ID>>",
client_secret = "<<YOUR CLIENT SECRET>>",
refresh_token = "<<REFRESH TOKEN>>"
});
streamWriter.Write(json);
}
var httpResponse = (HttpWebResponse)httpWebRequest.GetResponse();
var streamReader = new StreamReader(httpResponse.GetResponseStream());
var result = streamReader.ReadToEnd();
dynamic jtoken = JsonConvert.DeserializeObject(result);
Console.WriteLine(jtoken.access_token);
return jtoken.access_token;
}
private static String getRefreshedAccessToken(refresh_token, username, password, clientId, clientSecret)
{
Pattern pat = Pattern.compile(".*\"access_token\"\\s*:\\s*\"([^\"]+)\".*");
String content = "grant_type=refresh_token&username=" + userName + "&password=" + password + "&refresh_token=" + refresh_token;
BufferedReader reader = null;
HttpURLConnection connection = null;
String accesstoken = "";
try {
URL url = new URL(tokenUrl);
connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod("POST");
connection.setDoOutput(true);
connection.setRequestProperty("Authorization", "Basic " + authentication);
connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
connection.setRequestProperty("Accept", "application/json");
PrintStream os = new PrintStream(connection.getOutputStream());
os.print(content);
os.close();
reader = new BufferedReader(new InputStreamReader(connection.getInputStream()));
String line = null;
StringWriter out = new StringWriter(connection.getContentLength() > 0 ? connection.getContentLength() : 2048);
while ((line = reader.readLine()) != null) {
out.append(line);
}
String response = out.toString();
Matcher matcher = pat.matcher(response);
if (matcher.matches() && matcher.groupCount() > 0) {
accesstoken = matcher.group(1);
}
connection.disconnect();
} catch (Exception e) {
System.out.println("Error : " + e.toString());
} finally {
if (reader != null) {
try {
reader.close();
} catch (IOException e) {
}
}
}
System.out.println(accesstoken);
return accesstoken;
}
function getRefreshedAccessToken($refresh_token)
{
$token_url = "http://YOUR_DOMAIN/wp-json/moserver/token";
$client_id = "<YOUR CLIENT_ID>";
$client_secret = "<YOUR CLIENT SECRET>";
$tokenContent = "grant_type=refresh_token&username=<USERNAME>&password=<PASSWORD>&refresh_token=<REFRESH_TOKEN>";
$authorization = base64_encode("$client_id:$client_secret");
echo "$authorization
";
$tokenHeaders = array("Authorization: Basic {$authorization}","Content-Type: application/x-www-form-urlencoded");
$token = curl_init();
curl_setopt($token, CURLOPT_URL, $tokenUrl);
curl_setopt($token, CURLOPT_HTTPHEADER, $tokenHeaders);
curl_setopt($token, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($token, CURLOPT_RETURNTRANSFER, true);
curl_setopt($token, CURLOPT_POST, true);
curl_setopt($token, CURLOPT_POSTFIELDS, $tokenContent);
$response = curl_exec($token);
curl_close ($token);
echo $response;
return json_decode($response)->access_token;
}
import requests,json
def getRefreshedAccessToken():
token_url = "http://YOUR_DOMAIN/wp-json/moserver/token"
resource_url = "http://YOUR_DOMAIN/wp-json/moserver/resource"
callback_uri = "<<CALL BACK URI>>"
client_id = '<<CLIENT_ID>>'
client_secret = '<<CLIENT SECRET>>'
refresh_token = '<<REFRESH TOKEN>>'
t_json = {'grant_type':'refresh_token','username':'<<USERNAME>>','password':'<<PASSWORD>>','client_id' : client_id,'client_secret' : client_secret,'refresh_token':refresh_token}
response = requests.post(token_url,data=t_json)
resp = json.loads(response.text)
access_token = resp["access_token"]
return access_token
The response will include a new Access Token, its type, its lifetime (in seconds), and the granted scopes. If the scope of the initial token included openid, then a new ID Token will be in the response as well.
Response will contain parameters as follows:
{
"access_token": "eyJ...MoQ",
"expires_in": 86400,
"scope": {scope},
"id_token": "eyJ...0NE",
"token_type": "Bearer"
}
Revoke a Refresh Token
Since Refresh Tokens never expire, it is essential to be able to revoke them in case they get compromised.
To revoke a Refresh Token, you can send a POST request to token endpoint as follows.
POST http://<wp_base_url>/wp-json/moserver/token
Content-Type: application/x-www-form-urlencoded
client_id={client_id}&
client_secret={client_secret}&
refresh_token={refresh_token}