Renewed token doesn't contain userinfo audience

Hi,
We have a token that has the audience set to our server. When creating a new token using the password grant the token gets properly populated with the audience for our server and the userinfo route. However, after renewing the token using the refresh token we get a token, but the token no longer has access to the userinfo audience, which prevents us from accessing the userinfo. Why does that happen? Here is the JSON we are sending to the oauth/token route:

{
    audience: "http://localhost:5000"
    client_id: CLIENT_ID
    grant_type: "refresh_token"
    realm: "Username-Password-Authentication"
    refresh_token: REFRESH_TOKEN
    scope: "openid profile email offline_access"
}

In my initial test I could not reproduce this situation; that test consisted of obtaining the refresh token at /oauth/token using ROPC grant and then performing the refresh token request. However, for this first test the parameters sent during the refresh token grant were the bare minimal, in particular, client_id, client_secret (used a confidential client), grant_type and refresh_token; with only these parameters the returned access token still included the /userinfo endpoint.

Given you’re sending a bit more parameters I repeated the above test by adding the audience parameter and I was indeed able to reproduce the issue. Having said that is there any reason why you’re sending the audience parameter as that is not required? Also, have in mind that realm is not applicable for the refresh token grant and scope can also be optional if you just want an access token with the same scopes as the initial one.

@jmangelo Yes I need the audience since I use the audience for my server api to ensure it is verified for my server. I can try removing those options, but I think it’s the fact that I’m sending the audience which is causing me issues, which it shouldn’t because the non-refresh request works fine

Hi @jmangelo I have similar problem as @bgerstle.tyco with the JS v8 SDK.
If I call webAuth.client.userInfo passing the accessToken that I get after a successful webAuth.client.login I get the following example response:
{
“sub”: “auth0|xxxxxxxxxxxxxxxxxx”,
“nickname”: “test”,
“name”: “test@example.com”,
“picture”: “https://s.gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fte.png”,
“updated_at”: “2017-11-30T16:45:46.885Z”,
“email”: “test@example.com”,
“email_verified”: true
}

But if I call webAuth.client.userInfo passing the accessToken that I get after a successful webAuth.client.oauthToken (renewing the accessToken using the refreshToken) I get the following example response:
{
“sub”: “auth0|xxxxxxxxxxxxxxxxxx”
}

Can you help me to have all the user info back using the renewed access token?

Thanks!

@jmangelo Yes I need the audience since I use the audience for my server api to ensure it is verified for my server. I can try removing those options, but I think it’s the fact that I’m sending the audience which is causing me issues, which it shouldn’t because the non-refresh request works fine

This is not the same issue because if you get a success response (even with less info) then the access token is suitable (has the right audience). You should post this as a separate question and then delete this post. Ideally you should include in your question all the options used to initialize Auth0.js and then call the client.login and client.oauthToken methods.

@jmangelo Can this be fixed it appears to be an issue and is causing issues in my app there is no reason I should have to compromise on security by removing the audience because you are not sending all of the necessary audiences.