Auth0-node Refresh Grant Missing Payload

dave-mogi · January 21, 2024, 10:36pm

I’m using the latest version of auth0-node (4.2.0) to do a refresh grant exactly as shown in the example:

import { AuthenticationClient } from 'auth0';

const auth = new AuthenticationClient({
  domain: '{YOUR_TENANT_AND REGION}.auth0.com',
  clientId: '{YOUR_CLIENT_ID}',
  clientSecret: '{YOUR_CLIENT_SECRET}',
});

// Get a new access token
const {
  data: { access_token },
} = await auth.oauth.refreshTokenGrant({
  refresh_token: refreshToken,
});

I’ve populated domain with the tenant and region subdomain as shown in the example. The access token returned is missing the payload:

"access_token": "[...]29tLyJ9..JdBYlv[...]", // <- token is missing payload: ".."

dave-mogi · January 26, 2024, 4:54pm

I raised an issue in the auth0-node repo: Refresh Token Grant Access Token is Missing Payload · Issue #983 · auth0/node-auth0 · GitHub

tyf · January 26, 2024, 9:11pm

Hey there @dave-mogi welcome to the community!

Thanks for opening up a GH issue as well - Given this is a refresh token grant/exchange, I’m curious to know if the access obtained before the refresh has the expected payload?

dave-mogi · January 27, 2024, 2:45pm

No, it didn’t! I had gotten the refresh token from a password grant without originally passing an audience, resulting in a a set of tokens where the access token did not have a payload. It was the refresh token from this set that I was using that was not returning access tokens with payloads in subsequent refresh token grants.

I’ll open a PR for the SDK documentation, to clarify how this is supposed to work.

dave-mogi · January 27, 2024, 3:26pm

Here’s a PR to update the SDK documentation: Clarify obtaining a refresh token that can be used to obtain JWT acce… by davidwarshaw · Pull Request #984 · auth0/node-auth0 · GitHub

system · February 10, 2024, 3:26pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.