@dan.woda Thank you for your help! I fear I didn’t understand your response and need additional clarification. Sorry!
The offline access scope is essentially a refresh token scope. If you add it in the request then you are requesting a refresh token be returned. Whether or not you will be issued a refresh token is dependent on if you have allowed offline access in your application.
I still don’t get (whether)the(re is a) difference between the refresh token returned to the client when using rotating refresh tokens and the refresh tokens returned when the offline access scope is enabled. Could you answer me with a “yes” or “no” on the following question:
Is offline access scope required when using rotating refresh tokens? Or put differently: Will rotating refresh tokens work properly without offline access scope enabled?
Refresh tokens come with added security considerations because of their long lived nature and their intended use of requesting tokens without user credentials.
This comes back to the same question I asked above: when I have rotating refresh tokens enabled, do I assume correctly that I’m already using refresh tokens in my client? Because if so, then I fail to understand why enabling offline access scope would have additional security implications, given that my clients already receive refresh tokens from auth0. Could you clarify this?
Thanks in advance for helping to lift my confusion.
I’ll respond soon with information to help debug the getTokenSilently case when the computer awakes.