4.2 Obtain a Primary Refresh Token
The following example shows a request from the broker client to the AD FS server for a primary refresh token (section 3.2.5.1.2.1) using the obtained nonce (section 4.1) and the response from the AD FS server that contains the primary refresh token (section 3.2.5.1.2.2).
Request:
-
POST https://server.example.com/adfs/oauth2/token/ HTTP/1.1 { Content-Type=application/x-www-form-urlencoded, Host=server.example.com, Content-Length=4176, Expect=[100-continue] } MessageOffset:251 grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer &request=eyJ0eXAiOiJKV1...
As described in sections 3.2.5.1.2.1 and 3.2.5.1.2.1.1, the content of the request parameter above is a signed JWT. An example of the raw JWT with header is given below.
-
{ "typ":"JWT", "alg":"RS256", "x5c":["MIIEMzC..."] } { "client_id":"38aa3b87-a06d-4817-b275-7a316988d93b", "scope":"aza openid", "grant_type":"password", "username":"janedoe@example.com", "password":"password", "request_nonce":"eyJWZXJza..." }
Response:
-
HTTP/1.1 200 OK { Content-Length=6123, Content-Type=application/json;charset=UTF-8 } { "token_type":"pop", "refresh_token":"rghyF1xMq2YQTbE..." "refresh_token_expires_in":604800, "session_key_jwe":"eyJlbmMiOiJBMjU2R0NNIi...", "id_token":"eyJ0eXAiOiJKV1QiLCJhbGci..." }