Obtaining Refresh Tokens

Describes how to refresh access tokens.

You can use a cURL POST request to refresh an access token. When you refresh an access token, the new token reflects the user's current roles and attributes. Each refresh token is typically valid for a week. Including the offline_access scope in the cURL POST obtains a refresh token that does not expire unless the token is not used for thirty days.

cURL POST Request

Use the following cURL POST request to obtain new access and refresh tokens:

response_json=$(curl --data "grant_type=refresh_token&client_id=ua-grant&refresh_token=$REFRESH_TOKEN" "https://$KC_ADDR/realms/UA/protocol/openid-connect/token")

TIP

For testing purposes, you can use curl -k to skip peer certificate validation if the local CA certificate store cannot validate the Unified Analytics gateway certificate.

Offline Access

If you do not want the token to expire, include the offline_accessscope in the request, as shown:

response_json=$(curl --data "grant_type=refresh_token&client_id=ua-grant&refresh_token=$REFRESH_TOKEN&scope=offline_access" "https://$KC_ADDR/realms/UA/protocol/openid-connect/token")

An offline_access token can be used repeatedly; however, if an offline_access refresh token is not used for thirty days, the token becomes invalid.

Reconfigured ua-grant OIDC Client as a Confidential Client

If the ua-grant OIDC client is reconfigured to be a confidential client, you must specify the client_secret as one of the data parameters in the cURL request. For example, if ua-grant is a confidential client with the a secret value of 3EMVFnKnOU3B5Yh9B8MchwcFHvOVTcdh, then the cURL request must include that value for the client_secret parameter, as shown:

response_json=$(curl --data "grant_type=refresh_token&client_id=ua-grant&refresh_token=$REFRESH_TOKEN&client_secret=3EMVFnKnOU3B5Yh9B8MchwcFHvOVTcdh" "https://$KC_ADDR/realms/UA/protocol/openid-connect/token")

For additional information, see Making the ua-grant OIDC Client a Confidential Client.

Getting the Access and Refresh Tokens from the Response Body

To get the access and refresh tokens, extract the access_token and refresh_token attributes from the JSON object in the response body. For example, you can use the jq command-line JSON processor, as shown:

ACCESS_TOKEN=$(echo "$response_json" | jq -r '.access_token')
REFRESH_TOKEN=$(echo "$response_json" | jq -r '.refresh_token')

The tokens are in JWT format.

To use the access token in requests to the application API endpoints, specify the token as a bearer token in the Authorization header.

Refreshing Tokens in Notebook

If you encounter a JWT token expiration error while running cells in the notebbok, you can resolve it by running the %update_token magic function. To learn more, see %update_token

HPE Ezmeral Unified Analytics Software 1.5 Documentation
Abstract	HPE Ezmeral Unified Analytics Software is a usage-based Software-as-a-Service (SaaS) model that operationalizes hybrid and multi-cloud modern analytical workloads through a simple user interface, easily installed and deployed in minutes. HPE Ezmeral Unified Analytics Software separates compute and storage for flexible, cost-efficient scalability to securely access data stored in multiple data platforms, enabling you to run traditional and advanced analytics workloads with open-source tools.
Published	November 2024
Edition	1.5.0