Blazor App not getting refresh token

I’m building a Bazor app and I cannot seem to be able to obtain a Refresh Token. Is there something I’m missing here in order to get this working?

Here is my Program.cs

builder
	.Services
	.AddOidcAuthentication(options =>
	{
		builder.Configuration.Bind("Auth0", options.ProviderOptions);
		options.UserOptions.RoleClaim = builder.Configuration["Auth0:CustomClaimsSchema"] + "/roles";
		options.ProviderOptions.AdditionalProviderParameters.Add("audience", builder.Configuration["Auth0:Audience"]);
	})
	.AddAccountClaimsPrincipalFactory<ArrayClaimsPrincipalFactory<RemoteUserAccount>>();

The config

"Auth0": {
  "Authority": "https://--redacted--",
  "ClientId": "--redacted--",
  "Audience": "https://--redacted--",
  "RedirectUri": "https://localhost:5000/auth/login-callback",
  "CustomClaimsSchema": "https://--redacted--",
  "DefaultScopes": ["email", "offline_access"],
  "ResponseType": "id_token token"
}

My response is as follows

{
  "id_token": "--redacted--",
  "token_type": "Bearer",
  "scope": "openid profile email offline_access",
  "profile": {
    "https://cannect.app/claims/user_id": "83sPs1siLa",
    "https://cannect.app/roles": [
      "tenant-owner",
      "system-user"
    ],
    "https://cannect.app/tenants": [
      {
        "Gs1CompanyPrefix": "4463756",
        "TenantId": "kQ0Jev",
        "TenantName": "cannect",
        "TenantRole": "tenant-owner"
      },
      {
        "Gs1CompanyPrefix": "4463756",
        "TenantId": "kQ0Jev",
        "TenantName": "cannect",
        "TenantRole": "tenant-owner"
      }
    ],
    "given_name": "Chase",
    "family_name": "---",
    "nickname": "chase.---",
    "name": "Chase ---",
    "picture": "https://lh3.googleusercontent.com/a/-redacted-",
    "locale": "en",
    "updated_at": "2023-09-04T16:30:44.093Z",
    "email": "-redacted-",
    "email_verified": true,
    "sub": "google-oauth2|-redacted-",
    "sid": "-redacted-"
  },
  "expires_at": 1693852247
}

And I’ve definitely turned on Refresh Tokens in my dashboard

image2010×1848 313 KB

Hi @chase-cannect,

Welcome back to the Auth0 Community!

Can you please confirm you have toggled on the Allow Offline Access setting for your API in the Auth0 Dashboard? The API you are using should correspond with the audience parameter you are using in your Blazor app.

Thanks!

I believe so, the API (Audience) I’m using has the following

image2030×784 44.9 KB

Thank you for the additional information.

Could you please DM me a HAR file of the transaction?

Thanks for the HAR.

I think this may be the issue: Implicit Flow with OIDC

Thank you for the response.
I’m not entirely sure where to start to change over, what am I missing?

Refresh tokens aren’t allowed with the Implicit Flow.

You should upgrade to the code flow to request a refresh token. Here’s a resource that may be helpful:

So, are you saying that I can no longer use my custom Flow?

image3236×802 177 KB

You can still use your custom Actions, they should not be effected.

It appears you are still using the Implicit Flow, which is a legacy authentication protocol flow that is considered less-secure. It doesn’t allow for refresh tokens as a result, and I suggest updating your app to the Auth Code Flow.

Does that help clarify?

So I thought I had followed all of this in detail, however after reading this article, I discovered one single line was missing

options.ProviderOptions.ResponseType = "code";

After adding this line, I was able to see a refresh_token in the payload

image1970×518 72.9 KB

That should do it! I’m glad switching to the Auth Code Flow was that simple (I thought it would be a bit more complex, to be honest).

Thanks for posting your solution too!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.