How to get refresh tokens to work in Single Page Application (SPA) API

I am trying to follow this topic, but don’t fully understand how to make it work. Here is my code:

domain: Settings.auth0_domain,
clientId: Settings.auth0_clientId,
useRefreshTokens: true,
authorizationParams: { audience: “offline_access”, scope: “offline_access”, prompt: “none” },

}).then(auth0Client => {

@tyf - Can you help me with this.

1 Like

Hey there @bbarnell !

At a most basic level, all that’s required is setting useRefreshTokens: true and enabling refresh token rotation for the relevant application in your dashboard settings.

Here’s a working example if you’d like to check it out - If I omit the useRefreshTokens: true flag then the application will resort to using silent auth if I click the “ping” button (getTokenSilently) of the external API page. With useRefreshTokens: true, you can see the offline_access scope included in the initial authorize request constructed on login, and subsequently a refresh token returned from the token endpoint:

Now when I click “ping api”, I can see a successful refresh token exchange in my logs (monitoring → logs):


With a SPA, in order to get the refresh token from the /token endpoint:

  • SPA: set config useRefreshTokens to true
  • API Config: set Allow Offline Access to true
  • Application config: Advanced Settings \ Grant Types \ Refresh Token enable
  • Application config: enable Refresh Token Rotation

Enabling RTR was the key for me to retrieve the refresh token.
Hope this helps!

1 Like

@Jerome.Piquet.AD I have most if it working, except when I logout in the application without leaving the application, and then log back in again, the application users 3rd party cookies. I don’t understand why Auth0 did not use cookies on the first login, but it uses them the second time?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.