Hello everyone!
I work at the SDK team on Auth0-SPA-JS, and will try to provide some information around whats happening.
Based on the information in the thread, I am not convinced this is a bug. But I am also not saying it can not be a bug, but we will need more information to know that.
But first, let me try and explain why this error shows up in v2, when it never showed up in v1.
TDLR:
Try and set useRefreshTokensFallback to true in v2 (I have also updated our FAQ for this). If that does not restore behavior like you saw it with v1, please read the information below and reach out to us with more information through our GitHub repository.
So what’s going on?
Our SDK has two ways to retrieve a token:
- Using iframes, which relies on 3rd party cookies (unless using custom domains)
- Using refresh tokens
When using refresh tokens fails, we fall back to using an iframe based on the value of useRefreshTokensFallback. If it’s true, we try the iframe, if it’s false we throw “missing refresh token” in the event that we do not have a refresh token available. See this check in our SDK.
Based on the v2 migration guide, you can see that we flipped the default value for useRefreshTokensFallback from true to false, this was done because more and more browsers are blocking third party cookies, and not everyone is using custom domains.
What this means if you never explicitly set useRefreshTokensFallback, you will suddenly start seeing missing_refresh_token error with v2, while it was swallowed with v1. This is not a bug, but a consequence of the change in the default value. (we might want to better call this out in the migratoin guide)
In a world where you are using refresh tokens without iframes fallback, when we do not have a refresh token available, there is nothing we can do but throw this error and ask you to call login again with the correct values.
If you would enable the useRefreshTokensFallback, it will get a token using an iframe as long as you have a valid active session with Auth0. If not, it will throw login_required.
Reproducing the issue
I have updated our sample application to reproduce this error in a couple of ways that are expected.
In the sample, you see 3 buttons:
- One calling getTokenSilently()
- One calling getTokenSilently({ authorizationParams: { scope: ‘scope-a’}})
- One calling getTokenSilently({ aughorizationParams: { audience: ‘Test’ }})
Both scope and audience are values that are not set when creating the Auth0Client or when calling loginWithRedirect.When the user is not logged in, calling all 3 of these methods throws missing_refresh_token , which is expected, as we have nothing in our cache.
When the user is logged in, we will get a set of tokens for the default audience and scope (so not for scope-a or audience Test). So when the user is logged in, clicking the first button works. However, the two other still throw the same missing_refresh_token error, as we have nothing in our cache for both scope=scope-a or audience=test. Which is still expected.
Clicking all of these buttons when useRefreshTokensFallback is set to true and there is still an active session with Auth0, will no longer throw the missing_refresh_token error but return tokens instead (or well, if the scope and audience are valid values for your tenant, if not you will get different errors, but no longer missing_refresh_token).
Hopefully this helps to provide some information about the behavior you are seeing with v2. If not, happy to try and assist further.