How can I test my refresh token is working with React Auth0 SDK?

I am finding the documentation about refresh tokens to be a little scattered an unclear. I have enabled offline_access in the application settings as well as in getAccessTokenSilently(), and tried to set the token expiry rate in the Application settings to something obvious like 20 seconds but I am still not seeing a call to get a refresh token. I am not clear on how I am supposed to verify that I am indeed getting a refresh token. I can see on the /authorize endpoint that I am sending useRefreshTokens: true in the payload, but I am not sure if I have things set up correctly.

How can I verify this is working? Should I be seeing a new request happen in the network tab? I have not come across anything in the documentation to show how to test this functionality.

Hello @jason.welsh !

You can verify you are in fact receiving a refresh token by inspecting the call to /token made by the SDK in the network tab, see:

You will see an additional call to /token if the flow is working, when calling getAccessTokenSilently for example. Additionally, you will see a successful refresh token exchange (sertft) in your dashboard logs:

Hope this helps to clarify!

Thanks for your reply, it was very helpful.

But unfortunately it confirms that if I make the settings I think I need to make to get a refresh token, I get a “consent error”. This seems to happen every time I pass offline access to the scope property in the params of getAccessTokenSilently(). I have seen a few posts about this not being allowed on localhost but my team needs to be able to develop[ on localhost obviously and we need to test this before pushing to a staging environment. Is there a work around for this problem?

No problem, happy to help!

Do you mind outlining your use case here in a bite more detail? If you are setting useRefreshTokens={true} on the the Auth0Provider then you shouldn’t need to pass any additional scope to getAccessTokenSilently.

Because silent auth is a non-interactive flow, the user will have consented to any scopes previously. Some more on this below, as well as a potential workaround to getting Auth0 to accept localhost as first party:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.