This token is only valid for 1 hour so I want to exchange it for a refresh token.
To quote the documentation:
Access tokens expire in one hour. The external application can get a new access token without user interaction by exchanging a refresh token for it.
Refresh tokens are also valid for only one use and they expire after 60 days.
To do so, they must include offline_access in the scope parameter of the authorize request so that the authorization code can be used in a token request to get a refresh token.
If I understand this correctly, I have to send exactly the same request as before, but add offline_access to the scope.
Unfortunately, when I do that I’ll receive the following response:
Edit: Just to make sure there’s no misunderstanding, I’m not trying to get refresh tokens for Microsoft, but the UiPath Orchestrator. Although since it’s all based on the OAuth2 specification, it should be the same.
I realized that there is no refresh token for confidential applications with application scope. Only external applications with user scope can have a refresh token.
I guess that is the case as anytime I included the offline_access scope, I would get “invalid_scope” error. I think the documentation could use a little clarification, unless refresh tokens should be available to application scoped confidential applications as well.