What grant did you use to get the access token? Are you using PKCE? Can you post a summary of your client config?

Certainly, here is the summary OPENID CONNECT CLIENTS DETAILS ------------------------------ - **Name:** MyClient - **Client ID:** client-id - **Subject Type:** public - **ClientSecret:** XXXXXXXXXXX - **Application Type:** web - **Persist Client Authorizations:** true - **Pre-Authorization:** true - **Authentication method for the Token Endpoint:** none - **Logout Session Required:** false - **Include Claims In Id Token:** false - **Disabled:** false - **Logout Redirect URIs:** [https://localhost:3000/logout-callback] - **Login Redirect URIs:** [https://localhost:3000/silent-renew.html, https://localhost:3000/signin-callback] - **Scopes:** [profile, openid, permission, email, user_name] - **Grant types:** [authorization_code] - **Response types:** [code, token, id_token] I am using authorization_code grant and yes, code_challenge is being posted and &code_challenge_method=S256&response_mode=query, while callback is silent_renew.html which is being called, but with error=login_required.

Response types should only be `code`... you don't want the tokens coming back in the redirect unless you are using the hybrid flow. Also, I don't see that you have given the refresh_token grant type.

Hi Alex, Yes, you need to set - Grant types: [authorization_code, refresh_token] - Response types: [code] and also check global setting `forceOfflineAccessScopeToEnableRefreshToken` specially for refresh token case. [More details are here](https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess) Let me share you my client details  Best regards, Kiran Mali

Ok. Looks like silent renew does not work due to SameOrigin cookie restrictions in Chrome, because Gluu does not set SameSite attribute (to SameSite=None). Disabling SameSite controls in chrome://flags confirms this. I just had to remove token and id_token response types to have a working setup with these default flags disabled. I was hoping to avoid refresh_token and do a silent signin via iframe, because I could not find anything on refresh_token rotation support in Gluu docs. There is a refresh token lifetime setting, but no further description as far as I can find.

Hello Alex, > because I could not find anything on refresh_token rotation support in Gluu docs. There is a refresh token lifetime setting, but no further description as far as I can find. > I think we don't need to add more about this in our docs because we are following OpenID Connect standards so you can find details about `refresh token` in [OIDC Specs here](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens). it is open standards. Let us know if you need anything else. Thank you!