Ability to Migrate Refresh Tokens to Another Client on the Same Tenant

Problem statement

Can the refresh tokens issued for a client be used with another client ID so that the user does not have to log in again to get a new refresh token, or will the user need to log in again?

Solution

If a refresh token is issued for client A but then used with Client B, the Auth0 authentication server returns the following error:

{
"metadata": {
"message": "{\"error\":\"invalid_grant\",\"error_description\":\"The client associated with this refresh token (CLIENT_ID_A) is different than the one sent in the request (CLIENT_ID_B).\"}"
},
"code": "invalid_grant",
"message": "Invalid grant."
}

The only solution is to have the user receive a new refresh token. This can happen by a new login or a silent authentication.

Silent login can help to get a new refresh token without the user having to re-enter their credentials if the following conditions are met:

  • The mobile app has implemented a Universal Login flow
  • The app uses the same browser for the silent login attempts
  • If the session for the user is still active on Auth0 from the previous login attempt

The silent authentication has some limitations due to the third-party cookie behaviour of the browsers, e.g.; Safari’s Intelligent Tracking Prevention (ITP) feature may cause the silent authentication to fail unexpectedly. The application should start a new login flow if the silent authentication fails.