IBM Security Identity and Access: Developer PortalSearchSite map
Home / IBM Security Verify Adaptive Access / Native Applications / Developing Native Web Applications / 6. Using Refresh Tokens

Using Refresh Tokens

After a grant has been established for a user, a refresh token may be issued. The usage of this refresh token for Adaptive Access native apps covers a few different aspects:

  • Using the refresh token triggers another Adaptive risk assessment
  • Supporting long lived native application sessions
  • Refreshing the access token which is returned after an Allowed authentication

The Proxy SDK supports performing refresh token flows. The same principles covered in Using the Proxy SDK to Authenticate a User apply - refreshing a token can result in one of three outcomes:

  • Allow
  • Deny
  • Require

Note: These responses are only potentially possible when the corresponding access policy is enabled for refresh token flows.

This is useful for instances where a users session may have become risky over time - e.g. change of network or device detected.

To make use of a refresh token call:

// Extract parameters from request.
var context = {
    sessionId : req.session.sessionId, // The session ID generated posted from the browser
    userAgent : req.headers['user-agent'], // The user-agent collected from headers
    ipAddress : req.ip // The IP address of the connection.
};

var refreshToken = req.body.refreshToken;

// Perform a token refresh.
adaptive.refresh(context, refreshToken)
    .then((result) => {
        if (result.status === "deny") {
            res.status(403).send({error: "Denied"});
            return
        }
        if (result.status === "allow") {
            // Authentication successfully complete
            req.session.token = result.token // Stash bearer token
            res.redirect("/");
            return
        }

        // Store the sessionState:
        req.session.transactionId = result.transactionId
        req.session.sessionId = sessionId

        // Handle the possible options
        if(result.allowedFactors.indexOf("fido2") != -1) {
            req.session.currentFactor = "fido2";
            res.redirect("/fido2");
        } else if(result.allowedFactors.indexOf("emailotp") != -1) {
            req.session.currentFactor = "otp";
            res.redirect("/otp");
        }
    });

Note: For steps on enabling refresh token support, visit the topic on the knowledge centre.

Note: The next topic Performing Recollection is essential when using Adaptive Access for refresh token flows.

Next: Performing Recollection

Previous: Performing MFA