404 when asking to refresh an access token

klahnakoski · October 5, 2019, 11:59am

I am slowing implementing the PKCE flow, and now at the point of refreshing tokens I continue to get 404 responses.

I have turned on offline access

I reduced the token lifetime for testing

I have sent the offline_access as scope:

https://dev-8821kz09.auth0.com/authorize
?client_id=FYlBPbNm7vZi9YPwVFyR7J2TLKrzNtST
&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fhome
&audience=https%3A%2F%2Flocahost%2Fquery
&scope=data%3Achange+email+offline_access+openid+profile
&response_type=code&response_mode=query
&state=xFX86-qJdd6Ab-ngM4caqfYX1uPxZ6CTEGvLlymZmo8
&nonce=1Bv0g6acXXifaBkr4LfZUwmAQHES3_X1FYZqv-w3u40
&code_challenge=X0sVsjv8EGchYvfzooDju8FbyDfgu4mW_1qbc0p-5A0
&code_challenge_method=S256

Here is my refresh request:

curl "https://dev-8821kz09.auth0.com/oath/token" 
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0" 
-H "Accept: application/json" 
-H "Accept-Language: en-CA,en-US;q=0.7,en;q=0.3" --compressed 
-H "Referer: http://localhost:3000/home?code=BZjtS7V3IGdQVDJP&state=SUeWnnCd_FnHCiX0kcj0M5KVkFn7Uv_cw7jogTWE1Q8" 
-H "content-type: application/x-www-form-urlencoded" 
-H "Origin: http://localhost:3000" 
-H "Connection: keep-alive" 
-H "TE: Trailers" 
--data "grant_type=refresh_token&client_id=FYlBPbNm7vZi9YPwVFyR7J2TLKrzNtST&refresh_token=xxx"

What did I do wrong?

Thank you.

klahnakoski · October 5, 2019, 1:26pm

I also tried to revoke the refresh token, but my browser will simply not allow me to send the request. Rather, the pre-flight OPTIONS request looks like:

curl "https://dev-8821kz09.auth0.com/oath/revoke" 
-X OPTIONS 
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0" 
-H "Accept: */*" 
-H "Accept-Language: en-CA,en-US;q=0.7,en;q=0.3" --compressed 
-H "Access-Control-Request-Method: POST" 
-H "Access-Control-Request-Headers: content-type" 
-H "Referer: http://localhost:3000/home?code=UmDFrDA0OtYHJg8M&state=2f8wvD7ud_85f_N3rr8yXLNPw-iClPYfVoFcwS7ryDs" 
-H "Origin: http://localhost:3000" -H "Connection: keep-alive"

Here is the response. I guess, the browser interprets as not allowed.

HTTP/2.0 200 OK
date: Sat, 05 Oct 2019 13:15:23 GMT
content-type: text/plain; charset=utf-8
content-length: 2
server: nginx
ot-tracer-spanid: 436326667bd01329
ot-tracer-traceid: 1cd52702642881c6
ot-tracer-sampled: true
x-auth0-requestid: 33b0ab988b4eaf7722ca
set-cookie: did=s%3Av0%3A30265fa0-e772-11e9-85eb-9bd6037685d2.pS85g1BzRXcBlR0of81LenNCfVR5mY2XinFN9SFTq60; Max-Age=157788000; Path=/; Expires=Fri, 04 Oct 2024 19:15:23 GMT; HttpOnly; Secure
access-control-max-age: 1000
access-control-allow-methods: GET, PUT, POST, DELETE, PATCH, OPTIONS
access-control-allow-headers: Origin, Content-Type, Accept, X-Requested-With, Authorization, Auth0-Client, X-Request-Language
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
cache-control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-transform
strict-transport-security: max-age=15724800
x-robots-tag: noindex, nofollow, nosnippet, noarchive
X-Firefox-Spdy: h2

To be clear, this is not the same problem as attempting to refresh an access token: The /oath/token pre-flight OPTIONS call is made but the POST returns 404; whereas the /oath/revoke fails the pre-flight OPTIONS call, and no POST is made.

klahnakoski · October 5, 2019, 1:34pm

Comparing the /oath/revoke OPTIONS response, it appears to be missing

access-control-allow-origin: http://localhost:3000

which gets returned by the other endpoints.

klahnakoski · October 7, 2019, 3:47pm

Always good to spell correctly: Us “oauth” not “oath” https://dev-8821kz09.auth0.com/oath/revoke

dan.woda · October 7, 2019, 4:59pm

Hi @klahnakoski,

Is this in a single page app? If so, we do not recommend allowing refresh tokens to be requested for client side applications. From this doc:

A Refresh Token is essentially a user credential that allows a user to remain authenticated indefinitely. This sensitive information should be stored securely and not exposed client-side in a browser.

This includes the PKCE flow, and is true for all SPAs at this time.

Thanks,
Dan

klahnakoski · October 8, 2019, 2:49pm

This was only a SPA because the code is Javascript, in an experimental repo, while I confirm the authentication dance.

dan.woda · October 8, 2019, 7:57pm

Sounds like you have it covered. Great!

-Dan

system · October 23, 2019, 7:57pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Refresh_token missing Help	8	8743	May 12, 2020
Cannot get refresh token from Authorization Code Flow with PKCE Help refresh-token , refresh-tokens	5	4195	February 25, 2021
Unable to Get Refresh Token Help	2	2762	December 20, 2019
/outh/token api missing refresh_token Help	4	3532	October 4, 2019
Authentication Token endpoint not providing a Refresh Token? Help refresh-tokens	2	5015	March 2, 2018

404 when asking to refresh an access token

Related topics