Cannot get refresh token from Authorization Code Flow with PKCE

nrabinowitz · February 9, 2021, 1:51am

I’m working on a web application that needs to get refresh tokens using the PKCE flow. For reasons outside this ticket, I need to roll my own client for the Auth0 API, so I’m not using the JS SDKs.

I am attempting to follow the flow here: Add Login Using the Authorization Code Flow with PKCE

My API has Enable Offline Access enabled
My Application’s Grant Types include Authorization Code
I’m successfully authorizing the user through the /authorize endpoint, including offline_access in the scope.
I get the code after authorization, and I can successfully exchange the code and code_verifier for tokens using grant_type: authorization_code

But no matter what I try, I only get back access_token and id_token, not refresh_token, in the /oauth/token response payload. The response payload even includes offline_access in its scopes, but no refresh token is forthcoming.

What am I missing here? I’ve been banging my head against this for a day or more, and have read most of the Auth0 documentation that appears relevant.

Sample code for the /authorization call:

// Make the URL
const params = new URLSearchParams();
params.append('response_type', 'code');
params.append('response_mode', 'query');
params.append('audience', audience);
params.append('state', state);
params.append('code_challenge', codeChallenge);
params.append('code_challenge_method', 'S256');
params.append('client_id', clientId);
params.append('redirect_uri', redirectURI);
params.append('scope', scope);

const url = `https://${domain}/authorize?${params}`;

// Redirect the current page
window.location.assign(url);

Sample code for the /oauth/token call:

const params = new URLSearchParams();
params.append('grant_type', 'authorization_code');
params.append('audience', audience);
params.append('client_id', clientId);
params.append('code_verifier', transaction.code_verifier);
params.append('code', code);
params.append('redirect_uri', redirectURI);

const res = await request(`https://${domain}/oauth/token`, {
  method: 'POST',
  body: params.toString(),
  headers: {'Content-Type': 'application/x-www-form-urlencoded'}
});

Update

I finally found the root cause in the Auth0 logs:

Type: Warning During Login
Description: The scope ‘offline_access’ was requested, but no ‘refresh_token’ was issued because the authorization code exchange originated from a browser

Still not sure how to get around this, as I’d like to acquire a refresh token from a browser interface.

nrabinowitz · February 9, 2021, 6:02pm

I’ve confirmed that I can get the refresh token through the Auth0 debugger. That suggests that there’s a problem in the way I’m implementing the flow, not in the Auth0 setup. Would appreciate any suggestions.

cibrax · February 16, 2021, 8:30pm

I believe this is what you are needing.

konrad.sopala · February 17, 2021, 11:36am

Thanks for sharing that with the rest of community!

nrabinowitz · February 17, 2021, 5:12pm

Using refresh token rotation for now. I was hoping to acquire a long-lived refresh token for customers to use in their own applications, but for now the Auth0 advice is to use client secrets for this use case.

Topic		Replies	Views
Not getting a refresh token from Auth0.authorize() - PKCE Help	3	5359	September 25, 2019
Refresh_token missing Help	8	8742	May 12, 2020
Unable to get refresh token from the device code authorization flow Help auth0 , refresh_token	4	2407	December 22, 2022
Unable to Get Refresh Token Help	2	2762	December 20, 2019
Code not found in /authorize endpoint Help auth0 , api , refresh-tokens	2	3779	May 12, 2020

Cannot get refresh token from Authorization Code Flow with PKCE

Related Topics