I’m using auth0-react in my application to authenticate users. I’m trying to get the refresh token, but every time I add the scope, it’s getting overwritten by the default scopes.
Here’s the provider data
<Auth0Provider
domain={ENVIRONMENT}
clientId={ENVIRONMENT}
authorizationParams={{
redirect_uri: CALLBACK_URL,
audience: ENVIRONMENT,
scope: 'openid profile email offline_access',
}}
>
Here’s the loginWithRedirect
loginWithRedirect({
authorizationParams: { scope: 'openid profile email offline_access' },
}).catch(console.error);
and here is getting access token
accessToken = await getAccessTokenSilently({
timeoutInSeconds: 1,
authorizationParams: { scope: 'openid profile email offline_access' },
});
Whenever I send the request, it’s always without the offline_access scope.
I also have the refresh token enabled for the app
tyf
May 22, 2024, 11:00pm
3
Hey there @omar.muhtaseb welcome to the community!
Interesting Does setting useRefreshTokens={true}
in Auth0Provider cause the offline_access
scope to be included?
tyf
May 23, 2024, 4:17pm
5
Thanks for confirming - Does the API which you are using as audience
have the “allow offline access” option toggled?
I don’t see this option in my API
1 Like
tyf
May 23, 2024, 9:33pm
7
Are you by chance using the management API as your audience (https://{your_domain}/api/v2
)?
Hi!
The issue here is that you are using the management API. It is not possible to get refresh tokens for the Management API, so therefore there is no “Offline Access” to enable in the settings. You will instead need to create a new token each time, which can be done programmatically by following the steps here: Get Management API Access Tokens for Production
Other APIs have refresh tokens / enable Offline access, but the management API does not because it only support client credentials grant…
Yes, that’s the API I’m using.
Based on what you just shared, do I need to create another API to get a refresh token? I need to implement the offline access in my case.
tyf
May 28, 2024, 9:56pm
9
Thanks for confirming!
Yes, you will need to register an API in Auth0. At that point you will be able to add the offline_access
scope and use refresh tokens.
system
Closed
June 20, 2024, 3:35pm
10
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.