Getting a refresh_token from the server side

joaofrca · January 22, 2025, 2:01pm

We have implemented a custom login page in our Frontend application that directly connects to our server application. Our current process aligns with the Resource Owner Password Flow as described in the documentation.
We intentionally avoid using the authorize endpoint or the Authorization Code Flow, as we are not integrating with social identity providers at this stage.
To fetch the access_token, we invoke the oauth/token endpoint, using the grant_type set to 'password'.
Based on the documentation, it appears that obtaining a refresh_token via this flow is not supported. Therefore, we are seeking guidance on how to authenticate users through our server application without requiring them to re-enter their credentials every 24 hours. Is there a way to refresh the token within our current setup, or do we need to modify our approach?

dawid.matuszczyk · January 22, 2025, 2:38pm

Welcome to the Auth0 Community!

Thank you for posting your question; adding the offline_access in the scope will give you the refresh token in the response. I’ve just tested the below request with Management API as audience, and it returned the refresh and access token properly

curl --location --request POST 'https://{TENANT_DOMAIN}/oauth/token' \

--header 'Content-Type: application/x-www-form-urlencoded' \

--data-urlencode 'grant_type=password' \

--data-urlencode 'client_id=CLIENT_ID' \

--data-urlencode 'client_secret=CLIENT_SECRET' \

--data-urlencode 'audience=AUDIENCE' \

--data-urlencode 'username=USERNAME' \

--data-urlencode 'password=PASSWORD' \

--data-urlencode 'scope=openid profile email offline_access'

Thanks
Dawid

joaofrca · January 23, 2025, 2:49pm

Hi @dawid.matuszczyk ,
This worked indeed! Thank you so much, I highly appreciate it!
But let me just make a suggestion that the documentation could/should be improved. I do not find scope mentioned anywhere referring to the oauth/token endpoint. Please see the section on “Get Refresh Tokens”:

To get a refresh token, you must include the offline_access (scope) when you initiate an authentication request through the /authorize endpoint. Be sure to initiate Offline Access in your API. For more information, read (API Settings).

It is quite a struggle to see the proper contracts of the APIs, and everything they shall or shall not accept in the payloads, as it is also difficult to find the proper responses.

Best,
João

dawid.matuszczyk · January 23, 2025, 2:51pm

Thank you for the feedback, @joaofrca; I will pass it on to the Documentation Team!

Thanks!
Dawid

Topic		Replies	Views
How to refresh token using /oauth/token (non interactive) Help refresh-tokens , refresh_token	7	5530	August 7, 2019
Not returning Refresh Token from Password Flow Help	5	7218	July 25, 2019
Get new Access Token using Refresh Token in resource owner password flow Help sessions , reusable-refresh-tokens	5	2056	August 8, 2023
Non interactive client / Resource Owner Password / Refresh Token Help refresh-tokens , resource-owner-passw , non-interactive	2	4349	March 2, 2018
Cannot get refresh token on Resource Owner Password Grant Help refresh-tokens	4	4320	October 26, 2019

Getting a refresh_token from the server side

Related topics