Getting refresh tokens when working with client credentials

Hi everyone,

I’ve been working on getting Auth0+Google APIs to work for me. I managed to get it working with regular access tokens with the following flow:

So far so good.

Now, I want to get a Refresh Token so I can keep using the APIs even after the user is disconnected from the system.

I found this article:

But it only talks about getting refresh tokens when working with Authorization Codes, which is not my case.

I configured my API to allow refresh tokens, added access_type: “offline” to my auth params, and added “offline_access” to my scopes. But still, no refresh token is returned in the “identities” field when invoking /api/v2/users.

Does anyone have any idea how I can get refresh tokens in this setup?

Thanks in advance!

  • Which SDK this is regarding: auth0-node+nextJS

  • SDK Version: nextjs-auth0==1.6.1

  • Platform Version: e.g. Node 17.4.0

Ok, it seems I’ve managed to solve the issue. It seems it was solved by specifying the “offline_access” scope when invoking getAccessToken in NextJS. I’m not sure why Googles refresh token wasn’t sent until then, but this seems to have solved it.

1 Like

Perfect! Thanks for sharing!

1 Like

Hi @rickychau193

Nice work! The “offline_access” is the specified way to ask for a refresh token in OAuth2.



Right, but notice that I didn’t need to invoke getAccessToken in the original API invocation flow.
So to get the refresh token I actually needed to invoke an API that I didn’t really need, and invoking that API (getAccessToken) with the correct parameters made the refresh token appear in the identities fields from the /api/v2/users API.

Maybe I’m missing something, but if what I’m describing is correct, I wouldn’t say that’s very intuitive.

Hi guys, it seems the refresh token disappeared from the identities field, though I’m pretty sure my code wasn’t changed… I’m passing “offline_access” to all the API calls, could you maybe help me figure out how to debug this?
I guess my old estimation that adding the scope to getAccessToken wasn’t exactly what solved it.

Thanks again!