Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

<@U04UQ68083H> Which auth flows does Ory Hydra support returning a refresh token?

Ory Hydra supports returning a refresh token in the Authorization Code flow. To obtain a refresh token, the client needs to request the `offline_access` scope during the initial token issuance. The `offline_access` scope indicates that the client needs a refresh token. Not all OAuth2 and OIDC flows support refresh tokens. For instance, the Implicit flow and Client credentials flow do not support refresh tokens.  Here's a table that shows which flows support refresh tokens:  | Flow | Supports Refresh Token | Required scope | Required response type | | --- | --- | --- | --- | | Authorization Code flow | Yes | `offline_access` | `code` | | Implicit flow | No |  |  | | Client credentials flow | No |  |  |  For more details, you can refer to the [Ory documentation](<https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant#requirements-for-obtaining-a-refresh-token>).