I have a React Remix application, and I am trying to handle refreshing access tokens when they have expired. I have activated offline_access and the OAuth2 strategy should be configured correctly.
First i tried to use the strategy.refreshToken(refreshToken) function from this documentation, as we use the OAuth2Strategy with Auth0 as the provider (this is taken from the remix auth with OAuth2Strategy documentation). However, this didnt work and I kept getting “UnexpectedResponseError: Unexpected error response” with a vite server response of 500 , but i couldnt figure out why. Then i tried to use the Auth0 documentation for manually refreshing a token with this code: curl --request POST \ --url '``https://{domain}/oauth/token``' \ --header 'content-type: application/x-www-form-urlencoded' \ --data grant_type=refresh_token \ --data 'client_id={clientID}' \ --data 'client_secret={yourClientSecret}' \ --data 'refresh_token={yourRefreshToken}'
But when i did this i kept getting: {“error”:“access_denied”,“error_description”:“Invalid URL”}%
(I have triple checked that the variables are correct).
What could be wrong with the way I am trying to refresh an access token? I couldnt find any good documentation on the error messages so I am a bit lost.
Reading through your use-case, one of the main causes for this behaviour would be if your application has been configured to use a Custom Domain, but the curl command you are trying to use points to your Auth0 tenant instead. I recommend checking in your Auth0 tenant under Tenant Settings > Custom Domains and change the token endpoint accordingly.
If this is checked and correctly configured, here are my thoughts and what you should look for next:
try using this setup with a Regular Web App instead of a Single Page App, if applicable. Server-side flows that use a client secret are most likely designed to work with a Regular Web app instead. Although the following is not an official documentation and I recommend taking everything with a grain of salt, it is mentioned how RWA is more suited in this built compared to a SPA and it should provide useful information;
check the Refresh Token Rotation : if this is enabled ( which we recommend ), you should be getting a new refresh token once the old one is used. In case your code is not saving the refresh tokens, it could be trying to use an old one that has been invalidated and the flow will fail. On the server-side Remix code, you can add a log to inspect the token before calling strategy.refreshToken() to make sure it’s a valid;
verify that Token Endpoint Authentication is correctly set depending on what request type you are using ( POST or GET ).
Hopefully this helps clear the issue, but will be waiting for your update!
After some debugging we figured out that the issue was related to some post-login actions (that we did not know were triggered by refreshing tokens). But thank you for your help!