Issue with obtaining a refresh token using Lock and social connection

I have followed the guide from https://auth0.com/docs/connections/social/fitbit to get user authenticated using fitbit.

I am using latest version of auth0 lock and here is my options passed to lock:

static AUTH0_LOCK_OPTIONS = {
      auth: {
        audience: 'http://api.mydomain.com/api/v2',
        redirect: true,
        responseType: 'code', // also tried token
        params: {
          scope: 'openid offline_access email user_metadata app_metadata picture'
        },
        sso: false
      },
      oidcConformant: true,
      allowAutocomplete: true,
      rememberLastLogin: true,
      allowedConnections: 'Username-Password-Authentication']
    };

Here is the auth0 result I get back WITOUT REFRESH TOKEN

{  
   "accessToken":"eyJ....",
   "idToken":null,
   "idTokenPayload":null,
   "appStatus":null,
   "refreshToken":null,
   "state":"mK11...",
   "expiresIn":7200,
   "tokenType":"Bearer",
   "scope":"openid email"
}

The use of Lock with response type code implies that the tokens that were requested will be provided after performing an authorization code exchange at the token endpoint. In summary, the refresh token if one would be issued would never be available to Lock which running client-side in the browser.

In addition, the refresh token will only be issued if the API associated with the provided audience allows refresh tokens to be issued (aka allows offline access).

If you try with response type token then the authorization endpoint will immediately provide you with the tokens (aka implicit grant) and you don’t have to perform an additional exchange at the token endpoint. However, with an OIDC-compliant implicit grant, given the tokens are returned and visible to the client-side part of the web application, the issuance of refresh tokens is not supported.

In conclusion, if you have a server-side web application you should use code and the server-side should exchange the code for the tokens; if you have a SPA you should use token (implicit grant) and when the initial token expires try to obtain a new one using silent authentication.

1 Like

@jmangelo thanks for your prompt reply. I know it is little different than what I asked originally but I have a mobile app built using Ionic and user can choose to sync data from fitbit. User has ability to sync manually or there will be a windows service syncing data over night. I am not sure what can I do to authenticate user when windows service running is over night? My Backend is WebAPI and windows services to fetch user data

What you now describe implies that you would need a refresh token and access token for the Fitbit API itself. Have in mind that the tokens resulting from an authentication flow that was processed through Auth0 are tokens associated with Auth0 itself and not the underlying social provider. You can still obtain the underlying provider tokens through this process, but that process only supports obtaining refresh tokens for some for some of the providers and Fitbit is not one of them.