Get new Access Token using Refresh Token in resource owner password flow

walter.adbe · July 20, 2023, 2:19pm

I am trying to implement refresh token in my application.

I was able to get both the access token and refresh token using Auth0

I am using password-realm since i have different login application in Auth0.
Question:

What i am trying to do is to get a new access token using the refresh token i received previously.
Configuration:
In the API’s i have also enabled “Allow Offline Access”
and in Application settings “Refresh Token Expiration” Absolute Expiration is enabled and set as 604800 seconds.
In “Advance Settings” grant type “refresh_token” is also enabled.

I referred the following document to get the refresh token
https://auth0.com/docs/get-started/authentication-and-authorization-flow/call-your-api-using-resource-owner-password-flow

  const options = {
    method: "POST",
    url: "{application_url}/oauth/token",
    headers: { "content-type": "application/x-www-form-urlencoded" },
    data: new URLSearchParams({
      grant_type: "refresh_token",
      client_id: "client_id",
      refresh_token: "",
      audience: "https://dev.rimot-ew.xyz",
      scope: "offline_access",
    }),
  };
  const result = await axios.request(options);

When i execute the above code i am getting an error as “access denied” with the description “Unauthorised”.
Am i missing any configuration?
I made sure the URL is correct since i am using the same to get access token, refresh token is also the once I received when i logged in and client_id is also correct.

I would appreciate it if anybody could help me to fix this issue.

rueben.tiow · July 20, 2023, 6:33pm

Hi @walter.adbe,

Thanks for reaching out to the Auth0 Community!

After looking carefully at the code snippet you shared, I noticed that the audience parameter you passed is not an audience defined in your API settings.

Could you please ensure the audience parameter points to an audience identifier of one of your APIs?

And could you please make sure you are also passing the client_secret parameter in the request? This is needed for confidential clients.

Please let me know how this goes for you.

Thanks,
Rueben

walter.adbe · July 21, 2023, 4:13pm

Hi @rueben.tiow

Thank you for your quick response.

I am testing on a different account that is why the audience parameter is wrong.
In the previous i used the parameter found in the API Audience.
As you have suggested i have added client_secret

   const refreshBody = {
        client_id: "client_id",
        client_secret: "secret",
        grant_type: "refresh_token",
        realm: "custom_db",
        audience: "API Audience",
        scope: "offline_access",
        refresh_token: "refresh_token"
    }


    const { data: refreshData } = await axios.post("URL", refreshBody,
        {
            headers: { 'Content-Type': 'application/x-www-form-urlencoded', }
        })

Note:
I have different API’s and each API connect to different Database connection.
I am building a authentication server where multiple application uses it to login.

For the above code i am getting the following response

data: {
  error: 'access_denied',
  error_description: 'Product information invalid access denied'
}

It is also important to note that when i tested the above code when i have only one API and one DB connection it is working. I was able to get the new access token.

Are there any other configuration that i have to do when i have multiple API’s and database base connection. Each API has access to only 1 Database connection and i was able to test it by using login service of different API.

walter.adbe · July 21, 2023, 6:28pm

Hi @rueben.tiow

Thank you for your help. I had to delete all my API and database connections and rebuild it again. After that everything seems to work.

   const refreshBody = {
        client_id: "client_id",
        client_secret: "secret",
        grant_type: "refresh_token",
        realm: "custom_db",
        audience: "API Audience",
        scope: "offline_access",
        refresh_token: "refresh_token"
    }


    const { data: refreshData } = await axios.post("URL", refreshBody,
        {
            headers: { 'Content-Type': 'application/x-www-form-urlencoded', }
        })

The above code works and i am able to get a new access token.

rueben.tiow · July 25, 2023, 5:12pm

Hi @walter.adbe,

Thanks for your responses.

I’m glad everything is working now, and thank you for sharing your solution with the rest of the Community!

If you have any additional questions, please reach out to us again!

Thanks,
Rueben

system · August 8, 2023, 5:13pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.