I am trying to follow this topic, but don’t fully understand how to make it work. Here is my code:
createAuth0Client({
domain: Settings.auth0_domain,
clientId: Settings.auth0_clientId,
useRefreshTokens: true,
authorizationParams: { audience: “offline_access”, scope: “offline_access”, prompt: “none” },
}).then(auth0Client => {
@ty.frith - Can you help me with this.
Hey there @bbarnell !
At a most basic level, all that’s required is setting useRefreshTokens: true and enabling refresh token rotation for the relevant application in your dashboard settings.
Here’s a working example if you’d like to check it out - If I omit the useRefreshTokens: true flag then the application will resort to using silent auth if I click the “ping” button (getTokenSilently) of the external API page. With useRefreshTokens: true, you can see the offline_access scope included in the initial authorize request constructed on login, and subsequently a refresh token returned from the token endpoint:
Now when I click “ping api”, I can see a successful refresh token exchange in my logs (monitoring → logs):
Hello,
With a SPA, in order to get the refresh token from the /token endpoint:
Enabling RTR was the key for me to retrieve the refresh token.
Hope this helps!
@Jerome.Piquet.AD I have most if it working, except when I logout in the application without leaving the application, and then log back in again, the application users 3rd party cookies. I don’t understand why Auth0 did not use cookies on the first login, but it uses them the second time?
