No refreshToken being returned in social authentication

tmarren · December 16, 2017, 4:31am

I am trying to use buildAuthorizeUrl() to send a user directly to the google login screen. However when I get the response I have accessToken and idToken but refreshToken is set to null. I’m currently implementing it like so:

let webAuth = new WebAuth({
  domain: 'domain',
  clientID: this.config.auth0.clientId,
  scope: 'openid profile email offline_access',
  audience: this.config.auth0.audience,
  redirectUri: this.config.auth0.socialCallbackURL,
  responseType: 'token id_token'
})

let url = webAuth.client.buildAuthorizeUrl({ nonce: this.config.auth0.nonce, connection:'google-oauth2' })

Then when I get the url back I grab the hash off the end and use parseHash()

webAuth.parseHash({ hash: hash, nonce: this.config.auth0.nonce }, (err, authResult) => {})

The value of authResult returns refreshToken set to null

jmangelo · December 18, 2017, 6:28pm

You’re using the OIDC/OAuth 2.0 implicit grant when you configure a response type of token id_token. A consequence of using this grant is that by specification refresh tokens are not returned.

However, web applications can leverage the fact that the initial authentication establishes an authenticated session at the identity provider in order to obtain renewed tokens without forcing the end-user to authenticate again. This has some similarities to refresh tokens although is not exactly the same as the web application will only be able to do this while the session at the identity provider is available.

You should check the reference docs on silent authentication and also the checkSession method of Auth0.js library.

tmarren · December 18, 2017, 10:27pm

Thanks for your answer! That makes sense.