Problem statement
Can the refresh tokens issued for a client be used with another client ID so that the user does not have to log in again to get a new refresh token, or will the user need to log in again?
Solution
If a refresh token is issued for client A but then used with Client B, the Auth0 authentication server returns the following error:
{
"metadata": {
"message": "{\"error\":\"invalid_grant\",\"error_description\":\"The client associated with this refresh token (CLIENT_ID_A) is different than the one sent in the request (CLIENT_ID_B).\"}"
},
"code": "invalid_grant",
"message": "Invalid grant."
}
The only solution is to have the user receive a new refresh token. This can happen by a new login or a silent authentication.
Silent login can help to get a new refresh token without the user having to re-enter their credentials if the following conditions are met:
- The mobile app has implemented a Universal Login flow
- The app uses the same browser for the silent login attempts
- If the session for the user is still active on Auth0 from the previous login attempt
The silent authentication has some limitations due to the third-party cookie behaviour of the browsers, e.g.; Safari’s Intelligent Tracking Prevention (ITP) feature may cause the silent authentication to fail unexpectedly. The application should start a new login flow if the silent authentication fails.