4.2 Obtain a Primary Refresh Token

The following example shows a request from the broker client to the AD FS server for a primary refresh token (section 3.2.5.1.2.1) using the obtained nonce (section 4.1) and the response from the AD FS server that contains the primary refresh token (section 3.2.5.1.2.2).

Request:

 POST https://server.example.com/adfs/oauth2/token/
 HTTP/1.1
 {
  Content-Type=application/x-www-form-urlencoded,
  Host=server.example.com,
  Content-Length=4176,
  Expect=[100-continue]
 }
 MessageOffset:251
 grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
 &request=eyJ0eXAiOiJKV1...

As described in sections 3.2.5.1.2.1 and 3.2.5.1.2.1.1, the content of the request parameter above is a signed JWT. An example of the raw JWT with header is given below.

 {
   "typ":"JWT",
   "alg":"RS256",
   "x5c":["MIIEMzC..."]
 }
 {
   "client_id":"38aa3b87-a06d-4817-b275-7a316988d93b",
   "scope":"aza openid",
   "grant_type":"password",
   "username":"janedoe@example.com",
   "password":"password",
   "request_nonce":"eyJWZXJza..."
 }

Response:

 HTTP/1.1 200 OK
 {
  Content-Length=6123,
  Content-Type=application/json;charset=UTF-8
 }
 {
  "token_type":"pop",
  "refresh_token":"rghyF1xMq2YQTbE..."
  "refresh_token_expires_in":604800,
  "session_key_jwe":"eyJlbmMiOiJBMjU2R0NNIi...",
  "id_token":"eyJ0eXAiOiJKV1QiLCJhbGci..."
 }