Angel
Angel2d ago

Token endpoint to refresh token

Hello, I am trying refresh my token that was generated with my web client with my api client using /oauth/v2/token with jwt method but it's considered as inactive while the access token is still active using introspect endpoint 
def create_client_assertion(self) -> str:
        now = int(time.time())
        payload = {
            "iss": self.JWT_KEY_FILE["client_id"],
            "sub": self.JWT_KEY_FILE["client_id"],
            "aud": settings.ZITADEL_DOMAIN,
            "exp": now + 60 * 60,
            "iat": now
        }
        headers = {
            "alg": "RS256",
            "kid": self.JWT_KEY_FILE["key_id"]
        }
        return jwt.encode(
            payload,
            self.JWT_KEY_FILE["private_key"],
            algorithm="RS256",
            headers=headers
        )


def refresh_access_token(self, refresh_token: str) -> dict:
        url = f"{settings.ZITADEL_DOMAIN}/oauth/v2/token"
        jwt_token = self.create_client_assertion()
        headers = {"Content-Type": "application/x-www-form-urlencoded"}
        data = {
            "grant_type": "refresh_token",
            "refresh_token": refresh_token,
            "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
            "client_assertion": jwt_token
        }
        try:
            response = requests.post(url, headers=headers, data=data, timeout=2)
            response.raise_for_status()
            token_response = response.json()
            return token_response
        except requests.exceptions.HTTPError as e:
            error_detail = e.response.json() if e.response.content else {"error": "unknown"}

...
def create_client_assertion(self) -> str:
        now = int(time.time())
        payload = {
            "iss": self.JWT_KEY_FILE["client_id"],
            "sub": self.JWT_KEY_FILE["client_id"],
            "aud": settings.ZITADEL_DOMAIN,
            "exp": now + 60 * 60,
            "iat": now
        }
        headers = {
            "alg": "RS256",
            "kid": self.JWT_KEY_FILE["key_id"]
        }
        return jwt.encode(
            payload,
            self.JWT_KEY_FILE["private_key"],
            algorithm="RS256",
            headers=headers
        )


def refresh_access_token(self, refresh_token: str) -> dict:
        url = f"{settings.ZITADEL_DOMAIN}/oauth/v2/token"
        jwt_token = self.create_client_assertion()
        headers = {"Content-Type": "application/x-www-form-urlencoded"}
        data = {
            "grant_type": "refresh_token",
            "refresh_token": refresh_token,
            "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
            "client_assertion": jwt_token
        }
        try:
            response = requests.post(url, headers=headers, data=data, timeout=2)
            response.raise_for_status()
            token_response = response.json()
            return token_response
        except requests.exceptions.HTTPError as e:
            error_detail = e.response.json() if e.response.content else {"error": "unknown"}

...
2 Replies
Ask Inkeep
Ask Inkeep2d ago
Hi @Angel, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer I wasn't able to find a direct answer, here are some relevant sources: 1. OpenID Connect Endpoints in ZITADEL :
Covers the required parameters and authentication methods for the /oauth/v2/token refresh flow, including client assertion JWTs and expected behaviors with refresh tokens. 2. JSON Web Token Profile in ZITADEL :
Explains how to create and use JWT-based client assertions for authentication, and how tokens are validated and introspected. Feel free to tag @Ask Inkeep with additional questions. Got it. Tagging @Rajat for additional help.
Rajat
Rajat2d ago
hey @Angel I will look into this thing tomorrow morning

Did you find this page helpful?