Refresh a Token

Last updated: April 19, 2023

Introduction

A Refresh Token is a special kind of token that contains the information required to obtain a new Access Token or ID Token.
Usually, a user will need a new Access Token only after the previous one expires, or when gaining access to a new resource for the first time.

Refresh Tokens are subject to strict storage requirements to ensure that they are not leaked.

How to implement ?

Get a refresh Token


To get a Refresh Token, you must use the Authorization Code Flow

In response you will get a JSON object containing the following fields:

  • access_token: The access token for the user. This value must be secured.
  • token_typeThe type of token this is, typically just the string “bearer”.
  • expires_inThe number of seconds remaining, from the time it was requested, before the token will expire.
  • refresh_token: (optional) can be used to obtain another access token after access_token expiration.
  • id_token: (optional) A token representing the proof that the user has been authenticated. It does not carry user's credentials and can not be used to access member's APIs.
  • jti: (optional) The "jti" (JWT ID) claim provides a unique identifier for the JWT.



Refresh Your Token


To refresh your token, using the Refresh Token you already got during authorization.


POST /connect/oauth/token

Headers :
Parameter Description Required
Authorization Basic encodedString (where encodedString is the result of base 64 encoding the OAuth client's values as clientId:clientSecret Yes


Body (x-www-form-urlencoded) :
Parameter Description Required
grant_type The value of this field should always be: refresh_token Yes
refresh_token The refresh token issued to the client. Yes
scope The scope of the access request.The requested scope MUST NOT include any scope not originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner. OPTIONAL

For example, a successful call : 


curl --location --request POST 'https://api-global.preprod.decathlon.net/connect-re7/oauth/token' \
--header 'Authorization: Basic Y2xpZW50LWRlZmF1bHQ6Y2xpZW50LWRlZmF1bHQtc2VjcmV0' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'refresh_token=REFRESH_TOKEN' \
--data-urlencode 'grant_type=refresh_token'

An alternate successful call, without using the Authorization header (you need the client_id and client_secret) : 


curl --location 'https://api-global.preprod.decathlon.net/connect-re7/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=REFRESH_TOKEN' \
--data-urlencode 'client_id=CLIENT_ID' \
--data-urlencode 'client_secret=CLIENT_SECRET'

In response you will get a JSON object containing the following fields:

  • access_token: The NEW access token for the user. This value must be secured.
  • token_typeThe type of token this is, typically just the string “bearer”.
  • expires_inThe number of seconds remaining, from the time it was requested, before the token will expire.
  • refresh_token: A NEW refresh Token.
  • id_token: (optional) A NEW id Token.
  • jti: (optional) The "jti" (JWT ID) claim provides a unique identifier for the JWT.

For example, a successful token response may look like the following: 


{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiNjI2ZGM2YS0wOTQwLTQ0ZGEtYWY2OS0wNGI0MTFhMWRlNTYiLCJhdXRoX3RpbWUiOjE2ODAwMDYwNjUsInNjb3BlIjpbImNvdW50cnkiLCJwdXJjaGFzZXMiLCJhY2NvdW50OmNvbnNlbnQiLCJvcGVuaWQiLCJwdXJjaGFzZSIsImFjY291bnQ6YWRkcmVzcyIsImFjY291bnQ6Z2VuZGVyIiwiYWNjb3VudDpwYXNzd29yZCIsImFjY291bnQ6aWRlbnRpZmllcnMiLCJhY2NvdW50OnN0b3JlIiwiYWNjb3VudDpwdXJjaGFzZSIsImFjY291bnQ6YmlydGhkYXRlIiwicGhvbmUiLCJhY2NvdW50OmxvY2FsZSIsImFjY291bnQ6cHVyY2hhc2VzIiwiYWNjb3VudDpzcG9ydHMiLCJhY2NvdW50OnNoaXBwaW5nX2FkZHJlc3MiLCJlbWFpbCIsImFjY291bnQ6cHJvZmlsZSJdLCJpc3MiOiJodHRwczovL2FwaS1ldS5wcmVwcm9kLmRlY2F0aGxvbi5uZXQvY29ubmVjdCIsImRhdGFfY2VudGVyIjoiRVUiLCJwZXJzb25pZCI6Ijk5MDE2Mzg4NTEyIiwibG9jYXRpb24iOiJGUiIsImV4cCI6MTY4MDAwNzA5NiwiaWF0IjoxNjgwMDA2MTk2LCJhdXRob3JpdGllcyI6WyJST0xFX1VTRVIiXSwianRpIjoicmxWM2pSRVBGemd3YnYxMjNZa09sZndaR0VvIiwiY2xpZW50X2lkIjoiZDJjMGRjYjUtMzJiZC00YTU2LTlkZDgtMjA3MGU3YjJiNTMzIn0.sitNoc5bub6bsXheIBsXr4lI8qDEtIFI79VbMJ0UNQNog59NdWKbMbLVtvHMGGpHmf8-vV92eE8gk6H3w8S_PQdt0A_ipQ7wQhJHGW3Tzxw560iO1eopvOZ7yGVFcILfV0D89si-Xj_nDO_-XRhUgHjzcHPE9xIYPbYDZ3W_m8lRzoe38K_YA4XX1oKvF1gYonUh9TcVaL8rl60tPVKAjNcZsWp9VF3C9EzCttYnwHK35Hr3QhIckJB0FUWRl6lnshgFCom1_5D-sN3C1dZGO9TB03CykJl-7JXR6TFqpHTF5TemTG6zRDBEqRsGtt4rF-31UCQwx2eWHxuaK6zsPQ",
    "token_type": "bearer",
    "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiNjI2ZGM2YS0wOTQwLTQ0ZGEtYWY2OS0wNGI0MTFhMWRlNTYiLCJpc3MiOiJodHRwczovL2FwaS1ldS5wcmVwcm9kLmRlY2F0aGxvbi5uZXQvY29ubmVjdCIsImRhdGFfY2VudGVyIjoiRVUiLCJhdXRob3JpdGllcyI6WyJST0xFX1VTRVIiXSwiY2xpZW50X2lkIjoiZDJjMGRjYjUtMzJiZC00YTU2LTlkZDgtMjA3MGU3YjJiNTMzIiwiYXV0aF90aW1lIjoxNjgwMDA2MDY1LCJzY29wZSI6WyJjb3VudHJ5IiwicHVyY2hhc2VzIiwiYWNjb3VudDpjb25zZW50Iiwib3BlbmlkIiwicHVyY2hhc2UiLCJhY2NvdW50OmFkZHJlc3MiLCJhY2NvdW50OmdlbmRlciIsImFjY291bnQ6cGFzc3dvcmQiLCJhY2NvdW50OmlkZW50aWZpZXJzIiwiYWNjb3VudDpzdG9yZSIsImFjY291bnQ6cHVyY2hhc2UiLCJhY2NvdW50OmJpcnRoZGF0ZSIsInBob25lIiwiYWNjb3VudDpsb2NhbGUiLCJhY2NvdW50OnB1cmNoYXNlcyIsImFjY291bnQ6c3BvcnRzIiwiYWNjb3VudDpzaGlwcGluZ19hZGRyZXNzIiwiZW1haWwiLCJhY2NvdW50OnByb2ZpbGUiXSwiYXRpIjoicmxWM2pSRVBGemd3YnYxMjNZa09sZndaR0VvIiwicGVyc29uaWQiOiI5OTAxNjM4ODUxMiIsImxvY2F0aW9uIjoiRlIiLCJleHAiOjE2ODAwMDk3OTYsImlhdCI6MTY4MDAwNjE5NiwianRpIjoialB6RkYyVVB3NnVlLXVXZGMxd0xCT2toMFFFIn0.rY7Lf6ecpvq0HPT5aGDCLXJFOr4v0e-5g79pCt-x8mCPjVo3cwxE_Hx68n2wk0hi_iGF05ENsSqlOQb8YYfipNjHqTsFiCOo7uCXhEe6aQiTwUyjJ6g1mFZZjkcv3Dv6fPIxydP5HR6PoxTZF6dCifNs-PlHjT5EHB9H5ivMOmnlWcEZaKCSbb02GnL1xtPnADlKG__DHxTz9EdM1LUiQWBYFlcGvKfKrz1Uc3OPewJsCQvprA62plJlUv2gyFpIpNOHFuHVNN2MOlXQq-Ex-187zsLeSo0fzev09aonIO4mR1hg_zB5RbCl759In0HARqxMSJBm6ZAIcGIgCBs7jg",
    "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiNjI2ZGM2YS0wOTQwLTQ0ZGEtYWY2OS0wNGI0MTFhMWRlNTYiLCJhdWQiOlsiNjkyMjk5ZGItNjY3MC00NzViLTk3ZjAtYWQyOThjNWFmZTFiIiwiL3Rva2VuL2V4Y2hhbmdlIiwiZDJjMGRjYjUtMzJiZC00YTU2LTlkZDgtMjA3MGU3YjJiNTMzIl0sImF6cCI6ImQyYzBkY2I1LTMyYmQtNGE1Ni05ZGQ4LTIwNzBlN2IyYjUzMyIsImF1dGhfdGltZSI6MTY4MDAwNjA2NSwiaXNzIjoiaHR0cHM6Ly9hcGktZXUucHJlcHJvZC5kZWNhdGhsb24ubmV0L2Nvbm5lY3QiLCJleHAiOjE2ODAwMDcwOTYsImlhdCI6MTY4MDAwNjE5NiwianRpIjoiSUQuR19tOXkyRjQzb19oUkpOYWpRUkN2Z0RQY0RZIn0.fZxL0DD7Ts6MUkdS4n967G0FHQ_HYHOFQJwZ4OwMbQLEBazyZqnQS3Y23jHj8nGzNOliJtpA41HAufm01AOqL30sIOWE5fSSv5D2ObXh-PuVqCHZ-cWtQkRIREDnXoS3nCXpswoZD83fzH2FuXXdkIUeAla4pptY2QVFr7Ms-CGgzN_pNkKA-N6OVzoEAsbN1TzQ0PsHc-3MJ6PIzjMmA6z0jZ4Vs_FU3UPC-XCGLWjlXX-HcdMboaD8a9ioYRhYaZz_7mqU3omeLde9LddHi8z_cWq5yYTr64jgjl5Gwf_P4-C9kXABi7oUVQverGP-t9G3NagGWQOkHgB5fQWqXA",
    "expires_in": 899,
    "scope": "country purchases account:consent openid purchase account:address account:gender account:password account:identifiers account:store account:purchase account:birthdate phone account:locale account:purchases account:sports account:shipping_address email account:profile",
    "jti": "rlV3jREPFzgwbv123YkOlfwZGEo"
}
Terms & Services