Can I use grant_type="password" to obtain refresh_token to refresh access_token to access my API

Question

I have created a service, without user interaction, to access my API. The Api needs to know the user. Therefore I need the resource-owner flow.

For accessing my Api I need an access_token with the correct scope "MyApiScope". I can obtain an access_token with the resource-owner flow specifying scope="MyApiScope". But I won't get a refresh token in this way.

I can obtain a refresh_token with the resource-owner flow specifying scope="offline_access". But the access_tokens generated with this refresh token can't be used to access my Api because they do not contain the right scope, "offline_access" != "MyApiScope".

Is it just not possible in this scenario to use refresh tokens and should I therefore always use the username/password to obtain a new access_token?

Thanks for your advice.

Nothing prevent you from using both offline_access and MyApiScope scopes — Spomky-Labs
How simple can it be! I added the scope and it worked! I just wasn't aware that you had to concatenate the scopes with spaces in between (url-encoded of course). grant_type=password&username={USERNAME}&password={PASSWORD}&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&scope=MyApiScope offline_access — fantastischIdee

fantastischIdee fantastischIdee · Accepted Answer · 2017-02-11T08:03:49

Just add all the required scopes separated by spaces.
grant_type=password&username={USERNAME}&password={PASSWORD}&‌client_id={CLIENT_ID‌}&client_secret={CLI‌ENT_SECRET}&scope=My‌ApiScope offline_access

Can I use grant_type="password" to obtain refresh_token to refresh access_token to access my API

1 Answers