oauth 2.0 - Identity Server not returning refresh token -

i'm trying set thinktecture's identity server 3, can't seem return refresh token when exchanging authorization code (or when using resourceowner flow, i'm going focus on authorization code it's more important me right now). access tokens , can use them authenticate fine, doesn't seem generating refresh tokens i'm expecting back. there special need identity server return refresh tokens?

i've looked through documentation, haven't seen i've set wrong, , thing on page on refresh tokens i'm not doing explicitly requesting "offline_access" scope when sending user there authentication, because whenever try "invalid scope" error. therefore, i'm taking thinktecture's phrasing of "request offline_access scope (via code or resource owner flow)" mean offline_access scope automatically requested based on flow you're using.

i've been trying follow sample applications (and source code existing owin middleware katana project) best can, , setup follows:

• i've created client using client class, manually specifying following:

   var client = new client() {     clientid = "someid",     clientname = "client authentication code flow",     requireconsent = false, //setting true didn't     flow = flows.authorizationcode,     clientsecrets = new list() {         new clientsecret("secret")     },     redirecturis = new list()     {         "localhost:/specific-redirect-path"     } };

• i'm making call authorization endpoint follows:

   var authorizationendpoint =     authorizationendpointbase +     "?client_id=" + uri.escapedatastring(options.clientid) +     "&scope=default" +     "&response_type=code" +     "&redirect_uri=" + uri.escapedatastring(redirecturi) +     "&state=" + uri.escapedatastring(state); response.redirect(authorizationendpoint);

  "default" scope created.
• in callback, call token endpoint follows:

   ireadablestringcollection query = request.query; string code = getvaluefromquerystring("code", query); var tokenrequestparameters = new list>()     {         new keyvaluepair("client_id", options.clientid),         new keyvaluepair("redirect_uri", generateredirecturi()),         new keyvaluepair("client_secret", options.clientsecret),         new keyvaluepair("code", code),         new keyvaluepair("grant_type", "authorization_code"),     }; var requestcontent = new formurlencodedcontent(tokenrequestparameters); httpresponsemessage response = await _httpclient.postasync(tokenendpoint, requestcontent, request.callcancelled); response.ensuresuccessstatuscode(); string oauthtokenresponse = await response.content.readasstringasync(); 

when make call token endpoint, logging on identity server displays following (after validation of authorization code):

    iisexpress.exe information: 0 : [thinktecture.identityserver.core.validation.tokenrequestvalidator]: 7/13/2015 1:44:07 pm +00:00 -- token request validation success      {       "clientid": "someid",       "clientname": "client authentication code flow",       "granttype": "authorization_code",       "authorizationcode": "f8f795e649044067ebd96a341c5af8c3"     }     iisexpress.exe information: 0 : [thinktecture.identityserver.core.responsehandling.tokenresponsegenerator]: 7/13/2015 1:44:07 pm +00:00 -- creating token response     iisexpress.exe information: 0 : [thinktecture.identityserver.core.responsehandling.tokenresponsegenerator]: 7/13/2015 1:44:07 pm +00:00 -- processing authorization code request     debug: [thinktecture.identityserver.core.services.default.defaulttokenservice]: 7/13/2015 1:44:07 pm +00:00 -- creating access token     debug: [thinktecture.identityserver.core.services.default.defaulttokenservice]: 7/13/2015 1:44:07 pm +00:00 -- creating reference access token     iisexpress.exe information: 0 : [thinktecture.identityserver.core.endpoints.tokenendpointcontroller]: 7/13/2015 1:44:07 pm +00:00 -- end token request     iisexpress.exe information: 0 : [thinktecture.identityserver.core.results.tokenresult]: 7/13/2015 1:44:07 pm +00:00 -- returning token response.

i'm not sure else pertinent, i'll provide more information needed.

you have explicitly ask 'offline_access' in request. separate other scopes requesting space. (in examples below replacing 'default' 'myapi' clear talking scope defined app.)

&scope=myapi offline_access  

however, must grant client right refresh tokens, doesn't happen based on flow pick:

var client = new client() {     ... //all stuff doing before      scoperestrictions = new list<string>     {          "myapi",         standardscopes.offlineaccess.name, //"offline_access" -for refresh tokens         //other commonly requested scopes:         //standardscopes.openid.name, //"openid"         //standardscopes.email.name,  //"email"      }, } 

you may need add 'offline_access' scope store well. scope store list of scopes identity server knows about. question doesn't mention how scope store set in project, may have it. if above doesn't work you, may want around code in example you're working , add offlineaccess.

var scopestore = new inmemoryscopestore(new scope[]{     standardscopes.openid,     standardscopes.profile,     standardscopes.email,     standardscopes.offlineaccess,  //<--- ensure here allow refresh tokens     new scope{         enabled = true,         name = "myapi"     }, }