We have a mobile application built with React Native and using the “react-native-auth0” SDK. Our application uses the “Resource Owner Password” style of authentication, using a login form written in React Native. We started with a beta version of the SDK, v1.0.0-beta.1, which uses the legacy endpoints for authentication (/oauth/ro) and token refresh (/delegation).
The new React Native Auth0 SDK, v1.0.3, uses the modern endpoint (/oauth/token) for authentication and token refresh.
As part of migrating from the old to the new SDK, we saw that ID tokens were now being signed with the RS256 algorithm instead of HS256. We modified the mobile app’s API server to handle both algorithms (so that we can support old and new clients).
However, when using refresh tokens, we noticed that a refresh token acquired from the legacy endpoint will not return a new ID token when passed to the non-legacy endpoint. When the user downloads and installs the new version of the app with the new SDK, the app will pass a refresh token from the legacy endpoint (/oauth/ro) to the new API for token refresh (/oauth/token). Does Auth0 support returning an ID token as part of that refresh?
The answer to the title question is yes, they technically work, as in, they will not trigger a failed request, however, they provide limited functionality so the they work part highly depends on your scenario and based on your information you were expecting an ID token and to my knowledge at this time an ID token will not be issued when doing such sort of request that bridges legacy and new flows.
In addition, the recommended approach would be for you to no longer send ID tokens to the API and instead obtain access tokens suitable for the API in question through any of the supported API Authorization flows (aka audience parameter). At this time, access tokens issued to your own API’s will be JWT’s so from your API perspective it would be very similar to what you likely already have and most of the changes would be confined to the client application itself.
@andrewgoodale As you are in the legacy flows with RO and Delegation, in order to use your refresh token to get a new id_token you could make call to /delegation endpoint passing:
client_id
scope
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
refresh_token
This would return id_token with which you should make /delegation to get your refreshed access token.
This is technically correct, you can consider the use of refresh token in /delegation as that would keep everything under the legacy umbrella, however, the recommendation if possible would be to move from the legacy methods.