How do I prevent Refresh Tokens to be issued?

For my “Deploy CLI” Application, I don’t want Refresh Tokens to be issues. I have a hard time getting my head around the documentation here.

Setting “Allow Offline Access” to false may be documented to do this, it states “If this setting is enabled, Auth0 will allow applications to ask for Refresh Tokens for this API.”. It doesn’t make sense to me though, who is offline and what is? Offline Internet? It the Client, the application or the API that is offline Internet? Who will you get a new token in that case if you are not connected to internet? :thinking:

Exporting the tenant settings after doing this gives me this setup, which makes me thing that the refresh token is “non-expiring” and " infinite lifetime" as stated in the settings. This sounds like it’s actually the opposite of what I want.

    refresh_token:
      expiration_type: non-expiring
      leeway: 0
      infinite_token_lifetime: true
      infinite_idle_token_lifetime: true
      token_lifetime: 31557600
      idle_token_lifetime: 2592000
      rotation_type: non-rotating

And I really cannot find in the documentation how to achieve this.

Also, the Refresh Token setting only states " When enabled, a refresh_token will expire based on an absolute lifetime, after which the token can no longer be used. If rotation is enabled, an expiration lifetime must be set.". It doesn’t state what happens if disabled. Will the Refresh Token never expire, or will the Refresh Token not be issued?

Hello there @andreas.lundgren !

That totally makes sense, and refresh tokens are typically not included in the configuration/use of the deploy CLI. Looking at the documentation here, is your M2M application authorized to use the Management API (it should be) or another API. If you take a look at the Management API in your dashboard (Applications → APIs → Management API) you’ll see that there isn’t an option to enable offline access. This is because the Management API is typically accessed by a M2M app and thus via client credentials flow. When your Management API access token expires, you would simply use the client credentials to obtain a new one.

Hope this helps, keep us posted!

OK, thank you for asserting that my Deploy CLI will not have a Refresh Token. I will mark the response as Solution, because ensuring this was my main objective.

But please bring back a thought to see if this can be clarified from your end, in both tenant settings, documentation and vocabulary. I still don’t have a clue what is ment with “making an API accessible offline”, it the API is offline the network, you simply cannot access it, right. :stuck_out_tongue: And the CLI export also shows these confusing settings that I now learned make no difference, maybe better to leave them out the export if not active?

1 Like

No problem, happy to help!

I agree that the term “offline access” is a bit confusing, but here is a stackoverflow article that explains it well enough. Put simply, it just refers to the ability of a client application to access and interact with a user’s resources on a server, even when the user is not currently logged in or actively using the application.

Hope this helps to clarify!

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.