Can we use offline_access scope for retry_token with a Native Application (instead of a Machine to Machine Application)?

We are looking to support a combination of two features that, upon browsing your docs and manage console, appear to be mutually exclusive. I’m wondering if I’m misunderstanding something here or if this is a truly unsupported case. If it’s not supported, I’d like to put in a feature request.

We are building a CLI and we’re using an Auth0 Native Application to do authentication for it. Our CLI directs its user to the /authorize endpoint where they can perform the login (whether by username/password or social) in the browser and then we listen for the callback that comes with the oauth code and handle the rest (issuing the /oauth/token request and saving the access_token) under the hood in the CLI.

This all works well and we are satisfied with the flow.

Next, we would like to ask for a refresh_token token to be returned next to the access_token so that the CLI may perform a silent background refresh. However, when I pass in the offline_access scope in the /authorize request as documented, the scope is seemingly stripped out of the request and I do not receive the refresh_token. Upon looking a little bit deeper, I’m seeing that Machine to Machine Applications might be the only ones that support the refresh_token, but that is not in line with our needs: we need to use the Native Application because we have a user involved.

Please let me know if I’m misunderstanding the configuration or if there are any other details I can provide you with.

Hi @daniel.barrett,

Welcome to the Community!

Thanks for the detailed description. You should be able to get a refresh token for a native application, and this scenario would be included in that. Are you getting any errors returned when you are requesting the token? Can you send me the name of your tenant in a DM so I can take a look?


Solved by support. Here are the notes from the support team:

  • We inspected the requests / responses to auth0

  • we discovered that a default audience was set at the tenant level, and the API did not have offline_access enabled

  • We specified an audience that pointed to an API in auth0 with offline_access and we were able to get a refresh token.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.