Get refresh token when requesting client credentials

omar.elsafwany · July 13, 2023, 10:45am

I am currently requesting client_credentials to receive access token and be able to access certain endpoints with it accordingly. The current issue is that the response does not contain refresh_token and from what I understand, I need to send another request to /authorize endpoint to generate code which is then used to send a request of type authorization_code which includes both access_token and refresh_token.

The problem is that /authorize endpoint renders a form that requires login to generate a code. Is there another way to get that code OR another way in general to both access_token and refresh_token?

dan.woda · July 14, 2023, 4:24pm

Hi @omar.elsafwany,

Welcome to the Auth0 Community!

The client credentials grant does not support refresh tokens.

I think there may be some confusion though, because it doesn’t sound like you are using client credentials, but rather an auth code.

Could you show us a code snippet of what you are doing?

omar.elsafwany · July 17, 2023, 5:57am

Hello @dan.woda

The request I am sending is the following

curl --location 'https://dev-qzbuevkju0f6s5kg.us.auth0.com/oauth/token' \
    --header 'Content-Type: application/json' \
    --header 'Cookie: did=s%3Av0%3A3e94caf0-1e36-11ee-971c-c70c19658b19.S3sBGdMXyfjAH3mcTs1GXoN2YRz7g4dtA4ioZqETAM0; did_compat=s%3Av0%3A3e94caf0-1e36-11ee-971c-c70c19658b19.S3sBGdMXyfjAH3mcTs1GXoN2YRz7g4dtA4ioZqETAM0' \
    --data '{
    "client_id": "client_id",
    "client_secret": "client_secret",
    "audience": "https://brkz.co",
    "grant_type": "client_credentials",
    "scope": "read:private read:protected"
}'

and the response is as follows

{
        "access_token": "access_token",
        "scope": "read:private read:protected",
        "expires_in": 86400,
        "token_type": "Bearer"
    }

The thing is with that flow, I am not able to refresh the token once expired. To get refresh_token, I would need to call /authorize endpoint which renders a login form. Any other way to get the refresh_token since I mainly using M2M setup?

N.B. The current application I am working on does not support email/username. The application expects a mobile number and then sends an OTP to the customer. Once the customer inputs the OTP, gains access and proceeds. At that point, i’ll be attempting to generate an access token to send with future requests but would also need a refresh token in case the access expired.

dan.woda · July 17, 2023, 4:42pm

@omar.elsafwany,

That is a client credentials grant…but that grant specifically does not support refresh tokens, by design.

This is not a M2M flow. You shouldn’t be sending a M2M (client credentials) token to your user. The user should be requesting their own Access Token from the auth server. Is the OTP login happening through Auth0?

omar.elsafwany · July 18, 2023, 9:20am

@dan.woda currently it’s not but I am currently considering that. Passwordless seems to take care of many things.

dan.woda · July 18, 2023, 1:45pm

Yes, I would suggest passwordless to handle your flow.

system · August 1, 2023, 1:46pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.