Help Setting Up Refresh Token Rotation for iOS App with OIDC Conformant Mode

Get Help
,
1

We’re currently working on enabling Refresh Token Rotation in our iOS app and would appreciate some guidance to ensure everything is configured correctly.

From what I understand, this feature requires OIDC Conformant mode to be enabled — and indeed, the toggle for Refresh Token Rotation only becomes active after enabling it. However, I wasn’t able to clearly identify from the documentation what specific code changes (if any) are needed on the iOS client or on our backend API once OIDC Conformant mode is turned on.

We currently use the Auth0.swift SDK, and support the following authentication flows:

  1. Regular WebAuth:
Auth0.webAuth(
    clientId: ...,
    domain: ...
)
.useEphemeralSession()
.audience(...)
.scope("openid profile email offline_access")
.start(...
  1. WebAuth with specific connection (e.g., Google, Facebook, Apple, Username-Password):
Auth0.webAuth(
    clientId: ...,
    domain: ...
)
.useEphemeralSession()
.connection(...) // e.g. "google-oauth2", "facebook", etc.
.audience(...)
.scope("openid profile email offline_access")
.start(...
  1. Apple native login with authorization code:
Auth0.authentication(
    clientId: ...,
    domain: ...
)
.login(
    appleAuthorizationCode: ...,
    fullName: ...,
    audience: ...,
    scope: "openid profile email offline_access"
)
  1. Username-password (resource owner password) login:
Auth0.authentication(
    clientId: ...,
    domain: ...
)
.login(
    usernameOrEmail: ...,
    password: ...,
    realmOrConnection: "Username-Password-Authentication",
    audience: ...,
    scope: "openid profile email offline_access"
)
.start(...

We’d like to confirm:

  1. Are there any code changes we need to make to these login flows when enabling OIDC Conformant mode and Refresh Token Rotation?
  2. Are there any token format or claim differences we should account for in our backend API (which validates and uses Auth0 tokens)?
  3. Is it required or recommended to migrate all login methods to go through WebAuth for compatibility with rotation and OIDC?

Any clarification or best practices would be greatly appreciated. We’ve reviewed the documentation but found it unclear on the above points.

Thanks in advance for your help!

Best regards,
Oleh Repsh
iOS Developer of Life.Church app

3

Hi @oleg.repsh

Welcome to the Auth0 Community!

I understand that you have already reviewed our documentation regarding OIDC Conformant mode for Auth0 Applications, just to make sure we are referencing to the same documentation, I will leave it here as well:

OIDC Conformant Authentication

  1. Are there any code changes we need to make to these login flows when enabling OIDC Conformant mode and Refresh Token Rotation?

No, as long as your applications has the correct scopes, audience and parameters, there are no additional changes required.

  1. Are there any token format or claim differences we should account for in our backend API (which validates and uses Auth0 tokens)?

Once OIDC Conformant mode is enabled, the claims for your tokens must conform to the list of the Standard Claims of OIDC and have the certain restriction for Custom Claims mentioned in our documentation.
Regarding scopes, they will also be restricted to the standard OIDC authentication protocol. You can read more about that here.

  1. Is it required or recommended to migrate all login methods to go through WebAuth for compatibility with rotation and OIDC?

It is not a requirement to migrate all login methods to go through the .webAuth method, we do recommend it but the results can be accomplished with the Authentication API. However, you might encounter less issues in adapting the Universal Login Experience on a native application by using webAuth instead.

If you have any other questions, let me know or you can always contact our support team as well if you are under a paid plan or during a trial.

Kind Regards,
Nik