Refresh token as JWT

thorsten.weber · July 18, 2017, 9:45pm

Is it possible to obtain a JWT-based refresh token? Can I configure Auth0 in a way to get such one automatically?

jmangelo · July 18, 2017, 11:44pm

Within the scope of OpenID Connect/OAuth2 the refresh token is issued and consumed by the identity provider/authorization server so the format is left as an implementation detail. In the case of the Auth0 service, the identity provider and authorization server is your associated Auth0 account and the format used is an opaque token. At this time this is the only format being used.

To my knowledge, the opaque token format is also possibly the one in most widespread use. What’s your particular requirement that would be enabled if Auth0 issued a JWT refresh token?

thorsten.weber · July 19, 2017, 5:44pm

Hi,
we have two requirements.
First, we want to be able to verify a refreshtoken that is digitally signed similar to an accesstoken provided by auth0.
Furthermore, we want to transfer some additional data inside the refreshtoken. Our idea is to use the same structure ‘app_metadata’ as in an jwt-accesstoken. With this additional data, we can use an easy auth0-rule for accessing some static data that we need .
According to the oauth2 spec, it is possible to use a jwt-based refreshtoken for the refreshing steps.
Kind regards,
Thorsten

thorsten.weber · July 19, 2017, 5:44pm

Hi,
we have two requirements.
First, we want to be able to verify a refreshtoken that is digitally signed similar to an accesstoken provided by auth0.
Furthermore, we want to transfer some additional data inside the refreshtoken. Our idea is to use the same structure ‘app_metadata’ as in an jwt-accesstoken. With this additional data, we can use an easy auth0-rule for accessing some static data that we need .
According to the oauth2 spec, it is possible to use a jwt-based refreshtoken for the refreshing steps.
Kind regards,
Thorsten

jmangelo · July 19, 2017, 9:17pm

Yes, the specification does not mandate a specific format; as mentioned it’s an implementation detail of the authorization server and at this time, to my knowledge, we don’t support refresh tokens in other format than the currently used one (an opaque token).

thorsten.weber · July 19, 2017, 11:18pm

Interesting. Do you have any plans to support refresh tokens based on JWT? Is it interesting for auth0 as a authorization server provider or for your customers? Imho, a refreshtoken based on jwt could be a nice extension for auth0 ;.)
Kind regards,
Thorsten