Refresh access_token via refresh_token in Keycloak

keycloak has REST API for creating an access_token using refresh_token. It is a POST endpoint with application/x-www-form-urlencoded

Here is how it looks:

Method: POST
URL: https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/token
Body type: x-www-form-urlencoded
Form fields:    
client_id : <my-client-name>
grant_type : refresh_token
refresh_token: <my-refresh-token>

This will give you new access token using refresh token.

NOTE: if your refresh token is expired it will throw 400 exception in that you can make user login again.

Check out a sample in Postman, you can develop and corresponding API using this.

@maslick is correct you have to supply the client secret too, no need for authorization header in this case:

http://localhost:8080/auth/realms/{realm}/protocol/openid-connect/token

In case of expired refresh token it returns:

If you don’t add the secret you get 401 unauthorized even though the refresh token is correct

I tried with 4.8.2.Final, it gives following unauthorized_client even with previous access token as ‘Bearer’.
Then I tried with Basic YXBwLXByb3h5OnNlY3JldA== in Authorization header.
Then it worked, But still I’m not sure that I am doing right thing.

Extending Yogendra Mishra’s answer. Note that
client_id and client_secret can also be sent in Authorization header.

Authorization: Basic ${Base64(<client_id>:<client_secret>)}

This works for both initial token call (without refresh token) and refresh token call to /openid-connect/token endpoint

Reference:
https://developer.okta.com/docs/reference/api/oidc/#client-secret