We are looking to support a combination of two features that, upon browsing your docs and manage console, appear to be mutually exclusive. I’m wondering if I’m misunderstanding something here or if this is a truly unsupported case. If it’s not supported, I’d like to put in a feature request.
We are building a CLI and we’re using an Auth0 Native Application to do authentication for it. Our CLI directs its user to the
/authorize endpoint where they can perform the login (whether by username/password or social) in the browser and then we listen for the callback that comes with the oauth code and handle the rest (issuing the
/oauth/token request and saving the
access_token) under the hood in the CLI.
This all works well and we are satisfied with the flow.
Next, we would like to ask for a
refresh_token token to be returned next to the
access_token so that the CLI may perform a silent background refresh. However, when I pass in the
offline_access scope in the
/authorize request as documented, the scope is seemingly stripped out of the request and I do not receive the
refresh_token. Upon looking a little bit deeper, I’m seeing that Machine to Machine Applications might be the only ones that support the
refresh_token, but that is not in line with our needs: we need to use the Native Application because we have a user involved.
Please let me know if I’m misunderstanding the configuration or if there are any other details I can provide you with.