I followed the React starting guide and successfully implemented session cookie based authentication in our react frontend. Now I’d like to switch to using rotating refresh tokens but am facing problems to do so. I read this blog post and followed this implementation.
I’m using getAccessTokenSilently with the audience parameter set to get an access token for further requests to my backend API. The react application falls back to session based authentication and does not use the refresh token to get a new access token.
I’m wondering whether I misunderstood some basic concept. Should one use rotating refresh tokens in a setup with a SPA frontend and some backend APIs?
If yes, I’d be really happy if someone could explain to me how to implement rotating refresh tokens with audience parameter in React?
If you are using the auth0 react sdk (different from auth0-spa-js), you will need to tell the sdk to use refresh tokens. You can also instruct it to store them in localstorage.
Thanks @dan.woda , storing RTs in localStorage did it.
And I figured out that I misunderstood the docs on getAccessTokenSilently. As I understand it now, the /token endpoint is called with the ‘refresh_token’ grant in an iframe if there’s a refresh token stored and the audience parameter is set. So no fallback to session authentication in this case.