We are looking to support a combination of two features that, upon browsing your docs and manage console, appear to be mutually exclusive. I’m wondering if I’m misunderstanding something here or if this is a truly unsupported case. If it’s not supported, I’d like to put in a feature request.
We are building a CLI and we’re using an Auth0 Native Application to do authentication for it. Our CLI directs its user to the /authorize
endpoint where they can perform the login (whether by username/password or social) in the browser and then we listen for the callback that comes with the oauth code and handle the rest (issuing the /oauth/token
request and saving the access_token
) under the hood in the CLI.
This all works well and we are satisfied with the flow.
Next, we would like to ask for a refresh_token
token to be returned next to the access_token
so that the CLI may perform a silent background refresh. However, when I pass in the offline_access
scope in the /authorize
request as documented, the scope is seemingly stripped out of the request and I do not receive the refresh_token
. Upon looking a little bit deeper, I’m seeing that Machine to Machine Applications might be the only ones that support the refresh_token
, but that is not in line with our needs: we need to use the Native Application because we have a user involved.
Please let me know if I’m misunderstanding the configuration or if there are any other details I can provide you with.