diff --git a/deployment.yaml b/deployment.yaml
index ab618ba..a08dbf2 100644
--- a/deployment.yaml
+++ b/deployment.yaml
@@ -111,11 +111,13 @@ spec:
     - 'https://inventory-app-72zn4.codemowers.ee/login-callback'
   grantTypes:
     - 'authorization_code'
+    - 'refresh_token'
   responseTypes:
     - 'code'
   availableScopes:
     - 'openid'
     - 'profile'
+    - 'offline_access'
   tokenEndpointAuthMethod: 'client_secret_basic'
   pkce: false
 
diff --git a/inventory-app/oidc.py b/inventory-app/oidc.py
index 7e20273..bbdbf9f 100644
--- a/inventory-app/oidc.py
+++ b/inventory-app/oidc.py
@@ -45,6 +45,11 @@ def add_url_params(url, params):
     req.prepare_url(url, params)
     return req.url
 
+def add_session_tokens(session, r):
+    session["access_token"] = r["access_token"]
+    session["id_token"] = r["id_token"]
+    session["refresh_token"] = r["refresh_token"]
+
 @page_oidc.route('/login-callback')
 def login_callback():
     r = requests.post(metadata["token_endpoint"], {
@@ -59,11 +64,26 @@ def login_callback():
     if not validate_id_token(r["id_token"]) or not read_user(r["access_token"]):
         return "tokens validation failed", 500
     
-    session["id_token"] = r["id_token"]
-    session["access_token"] = r["access_token"]
+    add_session_tokens(session, r)
     print("authenticated, stored url was: " + session.get("original_url"))
     return redirect(session.pop("original_url", "/"))
 
+def do_refresh():
+    print("doing refreesh")
+    r = requests.post(metadata["token_endpoint"], {
+        "client_secret": os.getenv("OIDC_CLIENT_SECRET"),
+        "grant_type": "refresh_token",
+        "refresh_token": session["refresh_token"],
+        "scope": os.getenv("OIDC_AVAILABLE_SCOPES").replace(",", " "),
+    })
+    if r.status_code == 200:
+        add_session_tokens(session, r.json())
+        print("token refresh success")
+        return True
+    else:
+        print("token refresh failed")
+        return False
+
 @page_oidc.route("/logout")
 def logout():
     token = session.pop("access_token", "asdf")
@@ -87,6 +107,13 @@ def read_user(token=None):
     })
     if r.status_code == 200:
         return r.json()
+    elif r.status_code == 401 and do_refresh():
+       token = session.get("access_token", False)
+       r = requests.get(url = metadata["userinfo_endpoint"], headers = {
+           "Authorization": "Bearer " + token
+       })
+       if r.status_code == 200:
+           return r.json()
     else:
         return False