Auth0 Home Blog Docs

Get an access token from an id token

oidc-conformant

#1

We’re looking into getting OIDC-conformant.

In our app, we currently have an ID token and a refresh token stored.

We used to be able to use the refresh token to get fresh ID tokens, but that doesn’t work anymore.

It does work, however, if I add an audience when retrieving the refresh token in the first place. I.e. when using the OIDC flow.

My question is:
Is there a way, to use the existing non-OIDC-conformant ID token to retrieve a OIDC-conformant refresh token and access token?

Or is the only way to get OIDC-conformant, to have the users log out and log in again? (This would be nice to avoid)


#2

Hi @anders.
Unfortunately, the only way as of now would be to ask the users to authorize again, because of two reasons:

  • The refresh tokens obtained with the pre-OIDC-Conformant pipeline are not compatible with the OIDC-Conformant pipeline. The old refresh tokens are not associated with any “grant”, i.e. the user consenting (implicitly or explicitly) Auth0 to issue a token to the application to access the API (audience) on behalf of the user.
  • You cannot obtain a new refresh token from an old refresh token or id token.

I’m sorry for the added friction on this, but there are too many changes under the hood in the pipelines to make the transition more seamlessly.


#3

OK. That’s actually a big thing.

Where can I read about your thoughts on this?

Having all our users being forced to re-authenticate in our app will probably result in a drop in usage/sessions.
Which potentially has an impact on our bottom line.
What are your estimates of this drop in usage?

For now we will be relying on the /delegate endpoint to refresh pre-OIDC issued ID tokens.