Configure OIDC refresh tokens
OIDC refresh tokens allow your Coder deployment to maintain user sessions beyond the initial access token expiration. Without properly configured refresh tokens, users will be automatically logged out when their access token expires. This is typically after one hour, but varies by provider, and can disrupt the user's workflow.
Important
Misconfigured refresh tokens can lead to frequent user authentication prompts.
After the admin enables refresh tokens, all existing users must log out and back in again to obtain a refresh token.
Go to the Azure Portal > Azure Active Directory > App registrations > Your Coder app and make the following changes:
-
In the Authentication tab:
- Platform configuration > Web
- Ensure Allow public client flows is
No(Coder is confidential) - Implicit grant / hybrid flows can stay unchecked
-
In the API permissions tab:
- Add the built-in permission
offline_accessunder Microsoft Graph > Delegated permissions - Keep
openid,profile, andemail
- Add the built-in permission
-
In the Certificates & secrets tab:
- Verify a Client secret (or certificate) is valid. Coder uses it to redeem refresh tokens.
-
In your Coder configuration, request the same scopes:
CODER_OIDC_SCOPES=openid,profile,email,offline_access -
Restart Coder and have users log out and back again for the changes to take effect.
Alternatively, you can force a sign-out for all users with the sign-out request process.
-
Azure issues rolling refresh tokens with a default absolute expiration of 90 days and inactivity expiration of 24 hours.
You can adjust these settings under Authentication methods > Token lifetime (or use Conditional-Access policies in Entra ID).
You don't need to configure the 'Expose an API' section for refresh tokens to work.
Learn more in the Microsoft Entra documentation.
Confirm refresh token configuration
To verify refresh tokens are working correctly:
-
Check that your OIDC configuration includes the required refresh token parameters:
offline_accessscope for most providers"access_type": "offline"for Google
-
Verify provider-specific token configuration:
Use jwt.ms to inspect the
id_tokenand ensure thert_hashclaim is present. This shows that a refresh token was issued. -
Verify users can stay logged in beyond the identity provider's access token expiration period (typically 1 hour).
-
Monitor Coder logs for
failed to renew OIDC token: token has expiredmessages. There should not be any.
If all verification steps pass successfully, your refresh token configuration is working properly.
Troubleshooting OIDC Refresh Tokens
Users are logged out too frequently
Symptoms:
- Users experience session timeouts and must re-authenticate.
- Session timeouts typically occur after the access token expiration period (varies by provider, commonly 1 hour).
Causes:
- Missing required refresh token configuration:
offline_accessscope for most providers"access_type": "offline"for Google
- Provider not correctly configured to issue refresh tokens.
- User has not logged in since refresh token configuration was added.
Solution:
- For most providers, add
offline_accessto yourCODER_OIDC_SCOPESconfiguration."access_type": "offline"for Google
- Configure your identity provider according to the provider-specific instructions above.
- Have users log out and log in again to obtain refresh tokens.
Look for entries containing
failed to renew OIDC tokenwhich might indicate specific provider issues.
Refresh tokens don't work after configuration change
Symptoms:
- Session timeouts continue despite refresh token configuration and users re-authenticating.
- Some users experience frequent logouts.
Cause:
- Existing user sessions don't have refresh tokens stored.
- Configuration may be incomplete.
Solution:
- Users must log out and log in again to get refresh tokens stored in the database.
- Verify you've correctly configured your provider as described in the configuration steps above.
- Check Coder logs for specific error messages related to token refresh.
Users might get logged out again before the new configuration takes effect completely.