We’re trying to call the Authentication Token endpoint with a call like this:
curl -X "POST" "https://ourapp.eu.auth0.com/oauth/token" \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-d $'{
"password": "PASSWORD",
"scope": "openid profile offline_access",
"grant_type": "http://auth0.com/oauth/grant-type/password-realm",
"realm": "{OUR_REALM}",
"username": "{USER}",
"audience": "{AUDIENCE}",
"client_id": "{CLIENT_ID}"
}'
From a Native Client, and the API for that audience is set to Allow Offline Access.
However, in response we get:
{
"access_token": ...,
"id_token": ...
"scope": "openid profile",
"expires_in": 86400,
"token_type": "Bearer"
}
So I’m not sure what we’re doing wrong. Are we using the flow incorrectly? What is the way we should be authenticating our mobile apps with a refresh token?