I’m using the auth0-java SDK to build a Spring Boot API written in Kotlin which authenticates users under a Regular Web App using the “Username-Password-Authentication” connection. I have successfully configured the ClientId, ClientSecret, and Domain to allow my /login endpoint to return an idToken given a requested email / password, but have been unable to figure out how to get the TokenHolder to return a non-null refreshToken.
My code is as follows:
val idTokenRequest: TokenRequest = authAPI.login(requestBody.email, requestBody.password.toCharArray())
val idTokenHolder: TokenHolder = idTokenRequest.execute()
val idTokenString: String = idTokenHolder.idToken
val idToken: Jwt = jwtDecoder.decode(idTokenString)
val audience: String = "<REGULAR_WEB_APP_CLIENT_ID>"
val refreshTokenRequest: TokenRequest = authAPI.requestToken(audience)
val refreshTokenHolder: TokenHolder = refreshTokenRequest.execute()
val refreshTokenString: String? = refreshTokenHolder.refreshToken
val refreshToken: Jwt? = refreshTokenString?.let { jwtDecoder.decode(it) } ?: run { null }
When attempting to read .refreshToken from either the refreshTokenHolder or idTokenHolder as listed above, both values are null despite confirming that my Regular Web App has the OIDC Conformance toggle enabled and includes the Refresh Token Grant Type.
I have tried using authAPI.requestToken("<REGULAR_WEB_APP_CLIENT_ID>") as well but can’t find any mthod in the SDK that will give me back a non-null refreshToken. Any help is much appreciated!
Hey there @nativeink! Very cool that you are using Kotlin
Is there a particular quickstart/guide you are working off of? Are you currently passing any scope to TokenRequest? You should be able to use 1 instance of TokenRequest while including the offline_access scope with the setScope method to specifically request a refresh token.
Ah, yea I actually just recently stumbled across scope when reading through the Authentication API docs. I was able to set that using the following code which did cause the refresh_token to successfully populate within the TokenHolder using the single TokenRequest from login I found I had to append offline_access to the defaults that were already being used in order to keep everything else working properly.
This did, however, result in what I’m understanding to be an Opaque Token (in the format of v1.Md_...) to be returned for the value as opposed to something I can deserialize as a Jwt - is that to be expected? Or am I missing a necessary step allowing me to read it transparently as a Jwt?
I was able to get the rest of my API <> Client relationship working by interacting with the opaque token as a string on both sides, but still can’t tell from the documentation if this is by design or coincidental. My client doesn’t have insight into the expiration of the refresh token in this case, but is able to react to 401s by attempting a refresh, and if that fails, logging the user out automatically assuming that it is either expired or has been invalidated by a logout request.
I was not able to find a clear Quickstart guide for my use case. since all of the Spring ones demonstrate Spring MVC web app use cases as opposed to Spring Boot APIs, and all of the Java ones demonstrate how to set up a custom Auth0 API as opposed to an Application which is what I’m looking for. The closest thing I found to it was this Secure an API blog post, which helped in leading me to oauth2-resource-server and working with SecurityFilterChain, but I still had to piece it together with the Authentication API docs and reading through the auth0-java SDK code directly to get to a working prototype.
If you know of any Quickstarts that discuss the specifics of using Auth0 in a Spring Boot API, that would be really helpful! As general feedback, example usage in the README of the auth0-java SDK would be super helpful as well