asp.net core - Getting refresh_token server-side (sessionToken) with Okta

Question

We wish to use our own httponly strict cookie with access and refresh token in it for our microservices architectures.

We are primary using OKTA Authentication API to log users with our own custom Sign-in page. We were able to get the access_token on the authorize endpoint using the responsetype=token with sessionToken and redirecting the result as a form_post on our back-end endpoint.

I was unable to retrieve the refresh_token despite adding the offline_access in the scope even if it is checked in my okta application setting.

I don’t want to use resource password flow since we prefer using sessionToken which will work with multi factor if needed in the future.

I also try using the code flow and redirecting the result on our back-end but since the code flow is client-side it’s return this error "PKCE code verifier is required when the token endpoint authentication method is ‘NONE’." This error occur even if we choose a .NET application

How can we retrieve the refresh_token server-side with Okta?

Answer 1

Responded to your post here https://devforum.okta.com/t/getting-refresh-token-server-side-sessiontoken/12419/3.

Aside from making a call directly to /token with your access token you can also check our Early Access feature called Refresh Token Rotation. Let us know if this helps!