Unable to Set Device Name Refresh Token

cbrown · November 7, 2017, 2:06am

Previously using the Auth0 Lock library we were able to generate refresh tokens by setting the following parameters:

    scope: 'openid offline_access profile',
    audience: 'audience',
    device: "my-device"
}```

However, the `device` parameter is no longer respected. Instead it appears as though the `user-agent` header is used to determine what the device name is used for generating refresh tokens. Is it still possible to generate a refresh token in this manner? What is the best way to be able to set the name so that users can track their refresh tokens and delete unused or cycle them out as they need to for security purposes.

jmangelo · December 13, 2017, 7:39pm

See this answer to a related question for additional information, but the summary is that as you said the device functionality is associated with legacy endpoints and you should not try to leverage it if you’re not using legacy endpoints. In other words, although the user agent is currently reflected as the device you should take a dependency on this as there’s no documented notion of device in non-legacy endpoints.