How to get SSO_OIDC create_token's refresh token?

[Togtja]

When I call

token_response = sso_oidc.create_token(
                clientId=clientId,
                clientSecret=clientSecret,
                grantType="urn:ietf:params:oauth:grant-type:device_code",
                deviceCode=device_code,
)

The return I get is

{
    "accessToken": "xxxxx",
    "tokenType": "Bearer", 
    "expiresIn": 28800
}

However I was hoping to also get a refresh token, so that I can renew the session when it expires. Like so:

{
    "accessToken": "xxxxx",
    "tokenType": "Bearer", 
    "expiresIn": 28800,
    "refreshToken": "xxxx"
}

Any help in how to achieve this would be greatly appreciated!

[riley-lunar]

Did you ever figure this out?

[Togtja]

No, sadly not

[ajkerrigan]

I stumbled across this issue while looking into an unrelated issue about handling refresh tokens. For anyone else having this issue though... the Identity Center docs call out the difference between the refreshable "SSO token provider configuration" and a "legacy non-refreshable configuration". The refreshable setup requires both a reasonably current CLI version and sso_registration_scopes = sso:account:access option defined in your config file.

If you happen to be using boto3 to register clients and create tokens without referencing an existing config file, you can define your scopes when registering a client:

oidc_client.register_client(
    clientName="my_client",
    clientType="public",
    scopes=["sso:account:access"],
)

And then by default, the create_token() calls will use the scopes defined on the registered client, your browser approval screen will look a little different and you'll get refresh tokens. Hope this helps someone out there.