Using Postman for the Authorisation Code Grant on Server 2016 (ADFS 4.0) is documented here.
Then someone asked me how to extend this to get a new access token using the refresh token.
Recall that the second part of the code grant is to send a code to the /token endpoint that returns an access token, a refresh token and an ID token.
This returns an access token and an ID token. It does not return another refresh token?
So back to the OAuth spec (RFC 6749) section:
6. Refreshing an Access Token
"If valid and authorized, the authorization server issues an access
token as described in Section 5.1. If the request failed
verification or is invalid, the authorization server returns an error
response as described in Section 5.2.
The authorization server MAY issue a new refresh token, in which case
the client MUST discard the old refresh token and replace it with the
new refresh token.
The authorization server MAY revoke the old
refresh token after issuing a new refresh token to the client. If a
new refresh token is issued, the refresh token scope MUST be
identical to that of the refresh token included by the client in the
So that is correct.
Note that you can use this refresh token over and over again until it expires and each time you will get a new access token.
There's a good write-up here around configuring the refresh token timeouts etc.
It revolves around the PowerShell command:
Name : RP Name
IssueOAuthRefreshTokensTo : AllDevices
AlwaysRequireAuthentication : False
TokenLifetime : 960