I’d like to refresh an auth0 token before it expires. (for 2 reasons: not being disconnected + updating its content). Let’s every 2 hours whereas the token is valid during 2 days.
From my understanding there are 2 ways:
use a refresh token and call /oauth/token to refresh or token
=> I don’t like this solution because I’d have to store this refresh_token in the browser which is not very secure
=> I tried with a “regular” token but couldn’t make it work (maybe I did a mistake and it should?)
silent authentication by calling /authorize with prompt=none
=> in my application I’d need to do the call from a backend so it wouldn’t work (in my understanding in required the auth0 cookie session and)
=> I could do it from our frontend ; however on the SPA load, if the token is more than 2 hours, I’d need to do the round-trip to auth0 to refresh it (I’d like to avoid it)
Am I understanding well? Is there an endpoint where I could simply simply generate a new token from an existing one?
Yes, you have the correct understanding! And yes, there is an endpoint to generate a new access token and it is through the /oauth/token endpoint which you have discovered. I recommend checking out our Use Refresh Tokens documentation if you experienced issues using your refresh token.
Next, silent authentication is another recommended approach, which you have also found.
Yes, this is correct. In this case, I suggest using Refresh Tokens.
Concerning refresh tokens, I’d like to avoid to generate those. I read the documentation and if I understand well, 1/ it should be stored in the browser which I’d like to avoid as much as possible for security 2/ we have to handle the rotation and I’d like to keep our process as simple as possible.
So I’d like to call this /oauth/token endpoint but by providing a valid token only (and not a refresh token) - before it expires. I tested and it returns me this error:
"error_description": "Unknown or invalid refresh token."
I provided the params grant_type, client_id, refresh_token,client_secret, according to the doc.
So I guess it means it is only possible using a refresh token? In my understanding a refresh_token was exactly the same as a usual token - only its use is different - so I’m probably wrong.