Getting refresh tokens when working with client credentials

rickychau193 · February 9, 2022, 4:39pm

Hi everyone,

I’ve been working on getting Auth0+Google APIs to work for me. I managed to get it working with regular access tokens with the following flow:

Retrieve the Auth0 Management API Access Token from https://MYDOMAIN.auth0.com/oauth/token with my client ID+Secret
Using the Mgmt API Token, retrieve the users access token from https://MYDOMAIN.auth0.com/api/v2/users/google-oauth2|USERID
Using Googles API (OAuth2Client) and the new access token achieved, I can invoke APIs.

So far so good.

Now, I want to get a Refresh Token so I can keep using the APIs even after the user is disconnected from the system.

I found this article:

But it only talks about getting refresh tokens when working with Authorization Codes, which is not my case.

I configured my API to allow refresh tokens, added access_type: “offline” to my auth params, and added “offline_access” to my scopes. But still, no refresh token is returned in the “identities” field when invoking /api/v2/users.

Does anyone have any idea how I can get refresh tokens in this setup?

Thanks in advance!

Which SDK this is regarding: auth0-node+nextJS
SDK Version: nextjs-auth0==1.6.1
Platform Version: e.g. Node 17.4.0

rickychau193 · February 10, 2022, 12:12pm

Ok, it seems I’ve managed to solve the issue. It seems it was solved by specifying the “offline_access” scope when invoking getAccessToken in NextJS. I’m not sure why Googles refresh token wasn’t sent until then, but this seems to have solved it.

konrad.sopala · February 10, 2022, 12:48pm

Perfect! Thanks for sharing!

john.gateley · February 10, 2022, 2:15pm

Hi @rickychau193

Nice work! The “offline_access” is the specified way to ask for a refresh token in OAuth2.

John

rickychau193 · February 12, 2022, 3:50pm

Right, but notice that I didn’t need to invoke getAccessToken in the original API invocation flow.
So to get the refresh token I actually needed to invoke an API that I didn’t really need, and invoking that API (getAccessToken) with the correct parameters made the refresh token appear in the identities fields from the /api/v2/users API.

Maybe I’m missing something, but if what I’m describing is correct, I wouldn’t say that’s very intuitive.

rickychau193 · February 20, 2022, 7:51pm

Hi guys, it seems the refresh token disappeared from the identities field, though I’m pretty sure my code wasn’t changed… I’m passing “offline_access” to all the API calls, could you maybe help me figure out how to debug this?
I guess my old estimation that adding the scope to getAccessToken wasn’t exactly what solved it.

Thanks again!