I’m running into an issue where in my Auth0 Rules, the social connection access token I obtain through user.identities[0].access_token expired.
This seems to happen sporadically for a typical login from frontend SPA, and consistently for /oauth/token endpoint when I’m using a stored Auth0 refresh token to fetch a valid Access Token.
Here’s the scenario,
Social connection User use to login: Salesforce
Clients: “CompanySPA”
API: “CompanyAPI”
Our backend (CompanyAPI) stores the Auth0 refresh token of certain users (“API Users”) which we use to run background tasks that doesn’t follow the typical http request-response cycle.
In one of our Auth0 Rules, we use the access token of our social connection (Salesforce) to fetch some information from SF and then populate the JWT with some custom claims. This works mostly fine for SPA implicit grant flow, but for refresh_token , this isn’t working.
By refresh token flow, I mean this:
POST http://company.auth0.com/oauth/token
{
"grant_type": "refresh_token",
"client_id": "(client id of CompanySPA)",
"refresh_token": "(refresh token of the user)"
}
The webtask logs indicates that the rules are running, but Salesforce is rejecting the access token because it has expired. In our scenario the API User is not a real user, so it never logs in which means the access token won’t be refreshed.
To summarize, the problems:
- If a user hasn’t logged in for a while, the social connection’s access token available through user.identities[0].access_token is an expired one
- Sometimes when a user logs in through SPA,
user.identities[0].access_tokenmay be expired.
Can Auth0 ensure that when a rule is run, the social connection’s access token is valid?
EDIT: I’m following the instructions in Access Token for Social Connections - when are they refreshed? - Auth0 Community but the access token i get is expired.