I am finding the documentation about refresh tokens to be a little scattered an unclear. I have enabled offline_access in the application settings as well as in getAccessTokenSilently(), and tried to set the token expiry rate in the Application settings to something obvious like 20 seconds but I am still not seeing a call to get a refresh token. I am not clear on how I am supposed to verify that I am indeed getting a refresh token. I can see on the /authorize endpoint that I am sending useRefreshTokens: true in the payload, but I am not sure if I have things set up correctly.
How can I verify this is working? Should I be seeing a new request happen in the network tab? I have not come across anything in the documentation to show how to test this functionality.
You will see an additional call to /token if the flow is working, when calling getAccessTokenSilently for example. Additionally, you will see a successful refresh token exchange (sertft) in your dashboard logs:
But unfortunately it confirms that if I make the settings I think I need to make to get a refresh token, I get a “consent error”. This seems to happen every time I pass offline access to the scope property in the params of getAccessTokenSilently(). I have seen a few posts about this not being allowed on localhost but my team needs to be able to develop[ on localhost obviously and we need to test this before pushing to a staging environment. Is there a work around for this problem?
Do you mind outlining your use case here in a bite more detail? If you are setting useRefreshTokens={true} on the the Auth0Provider then you shouldn’t need to pass any additional scope to getAccessTokenSilently.
Because silent auth is a non-interactive flow, the user will have consented to any scopes previously. Some more on this below, as well as a potential workaround to getting Auth0 to accept localhost as first party: