404 when asking to refresh an access token

I am slowing implementing the PKCE flow, and now at the point of refreshing tokens I continue to get 404 responses.

I have turned on offline access

I reduced the token lifetime for testing

I have sent the offline_access as scope:


Here is my refresh request:

curl "https://dev-8821kz09.auth0.com/oath/token" 
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0" 
-H "Accept: application/json" 
-H "Accept-Language: en-CA,en-US;q=0.7,en;q=0.3" --compressed 
-H "Referer: http://localhost:3000/home?code=BZjtS7V3IGdQVDJP&state=SUeWnnCd_FnHCiX0kcj0M5KVkFn7Uv_cw7jogTWE1Q8" 
-H "content-type: application/x-www-form-urlencoded" 
-H "Origin: http://localhost:3000" 
-H "Connection: keep-alive" 
-H "TE: Trailers" 
--data "grant_type=refresh_token&client_id=FYlBPbNm7vZi9YPwVFyR7J2TLKrzNtST&refresh_token=xxx"

What did I do wrong?

Thank you.

I also tried to revoke the refresh token, but my browser will simply not allow me to send the request. Rather, the pre-flight OPTIONS request looks like:

curl "https://dev-8821kz09.auth0.com/oath/revoke" 
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0" 
-H "Accept: */*" 
-H "Accept-Language: en-CA,en-US;q=0.7,en;q=0.3" --compressed 
-H "Access-Control-Request-Method: POST" 
-H "Access-Control-Request-Headers: content-type" 
-H "Referer: http://localhost:3000/home?code=UmDFrDA0OtYHJg8M&state=2f8wvD7ud_85f_N3rr8yXLNPw-iClPYfVoFcwS7ryDs" 
-H "Origin: http://localhost:3000" -H "Connection: keep-alive"

Here is the response. I guess, the browser interprets as not allowed.

HTTP/2.0 200 OK
date: Sat, 05 Oct 2019 13:15:23 GMT
content-type: text/plain; charset=utf-8
content-length: 2
server: nginx
ot-tracer-spanid: 436326667bd01329
ot-tracer-traceid: 1cd52702642881c6
ot-tracer-sampled: true
x-auth0-requestid: 33b0ab988b4eaf7722ca
set-cookie: did=s%3Av0%3A30265fa0-e772-11e9-85eb-9bd6037685d2.pS85g1BzRXcBlR0of81LenNCfVR5mY2XinFN9SFTq60; Max-Age=157788000; Path=/; Expires=Fri, 04 Oct 2024 19:15:23 GMT; HttpOnly; Secure
access-control-max-age: 1000
access-control-allow-methods: GET, PUT, POST, DELETE, PATCH, OPTIONS
access-control-allow-headers: Origin, Content-Type, Accept, X-Requested-With, Authorization, Auth0-Client, X-Request-Language
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
cache-control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-transform
strict-transport-security: max-age=15724800
x-robots-tag: noindex, nofollow, nosnippet, noarchive
X-Firefox-Spdy: h2

To be clear, this is not the same problem as attempting to refresh an access token: The /oath/token pre-flight OPTIONS call is made but the POST returns 404; whereas the /oath/revoke fails the pre-flight OPTIONS call, and no POST is made.

Comparing the /oath/revoke OPTIONS response, it appears to be missing

access-control-allow-origin: http://localhost:3000

which gets returned by the other endpoints.

Always good to spell correctly: Us “oauth” not “oath” https://dev-8821kz09.auth0.com/oath/revoke

Hi @klahnakoski,

Is this in a single page app? If so, we do not recommend allowing refresh tokens to be requested for client side applications. From this doc:

A Refresh Token is essentially a user credential that allows a user to remain authenticated indefinitely. This sensitive information should be stored securely and not exposed client-side in a browser.

This includes the PKCE flow, and is true for all SPAs at this time.


1 Like

This was only a SPA because the code is Javascript, in an experimental repo, while I confirm the authentication dance.

1 Like

Sounds like you have it covered. Great!


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.