Auth0 Home Blog Docs

Anyone? Refreshing tokens: id_token missing in refresh_token response?

oauth
access-token
refresh_token

#1

For my Native app I’m calling authorize() with a scope of openid profile offline_access which results in a request to /oauth/token with this payload:

{client_id: "BA40...",
code: "GGL..."
code_verifier: "6WzZ..."
grant_type: "authorization_code"
redirect_uri: "com.agilitycoursemaster.acmaster://..."}

Auth0 gives me this response:

{"access_token":"1wHAZCEgjcaqjL7I",
"expires_in":86400,
"refresh_token":"9xTm7Q1-EWTfPfuYPQLxpID9WDgv1PqM3VqIyaAXt05so",
"id_token":"eyJ0e...",
"token_type":"Bearer"}

When I refresh the access_token the docs seem to indicate I should get back a new id_token because I had an original scope including openid:
https://auth0.com/docs/tokens/refresh-token/current#use-a-refresh-token

My /oauth/token post payload:

{client_id: "BA40..."
grant_type: "refresh_token"
refresh_token: "9xTm7Q1-EWTfPfuYPQLxpID9WDgv1PqM3VqIyaAXt05so"}

But the Auth0 response doesn’t include a new id_token:

{"access_token":"TeWVSARHqyMXmM1q",
"expires_in":86400,
"token_type":"Bearer"}

Can someone tell me what I’m doing wrong?


#2

This is a situation that we are already tracking; at this time, if you need the refresh token exchange to also return an ID token then you need to do one of the following actions:

  • in the Dashboard go to client application advanced settings, select the OAuth section and enable the OIDC Conformant toggle.
  • in the original request to the authorize endpoint include an audience parameter; for example, you can make the request with an audience set to https://[your_account].auth0.com/userinfo.

Have in mind that both of the above options will imply that requests from your client application will strictly follow the OpenID Connect specification. This may mean some breaking changes so do check the reference documentation.


#3

Thanks @jmangelo! I chose the later option for my upcoming release; change to OIDC Conformant would have messed up my existing customers. The only other change I made was to add some additional scopes to the authorize request to get the information I needed in the /userinfo response.


#4