To get a refresh token when using single sign-on with Ory, you need to include the

offline_access

scope in the access request. This is part of the Authorization Code flow, which returns an access token that expires after a certain period of time. By requesting the

offline_access

scope, you can obtain a refresh token that can be used to get a new access token without requiring the user to re-authenticate. Here are the steps: 1. The client needs to be allowed to request the

offline_access

scope. 2. The user has to accept that the client may use the

offline_access

scope on the consent screen. Please note that not all OAuth2 and OIDC flows support refresh tokens. For instance, the Authorization Code flow supports refresh tokens, but the Implicit flow and Client Credentials flow do not. For social sign-in, the tokens are issued only when the Identity signs up with a social sign-in provider or links a new social sign-in provider to their account. You can get the Identity details that include the social sign-in provider tokens by running a specific command. Here is an example of how to get the Identity details using cURL:

bash curl --request GET -sL \     --header "Content-Type: application/json" \     --header "Authorization: Bearer {ORY_API_KEY}" \     'https://$<http://PROJECT_SLUG.projects.oryapis.com/admin/identities/<identity_id>?include_credential=oidc|PROJECT_SLUG.projects.oryapis.com/admin/identities/<identity_id>?include_credential=oidc>'

Please replace

{ORY_API_KEY}

with your actual ORY API key and

<identity_id>

with the actual identity ID. Sources: - [Get a refresh token](https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow#get-a-refresh-token) - [Requirements for obtaining a refresh token](https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant#requirements-for-obtaining-a-refresh-token) - [Get social sign-in provider tokens](https://www.ory.sh/docs/kratos/social-signin/get-tokens)