How to refresh token using /oauth/token (non interactive)

Hi
I’m using this: curl --request POST \ --url ‘https://xxxx.auth0.com/oauth/token’ \ --header ‘content-type: application/json’ \ --data ‘{“grant_type”:“password”,“username”: “xxxx”,“password”: “xxxx”,“audience”: “xxxx”, “client_id”: “xxxx”, “client_secret”: “xxxx”}’ but I don receive refresh token in its response, what is missing?

In documentation at https://auth0.com/docs/api-auth/grant/password
it says: “3. Auth0 validates the information and returns an access_token, and optionally a refresh_token.”
Why optionally? How I can indicate auth0 gives me refresh token always?

Thanks!

To get a refresh token when using the [Resource Owner Password Grant] (https://auth0.com/docs/api-auth/tutorials/password-grant#ask-for-a-token) you must include the offline_access scope, as detailed in the [refresh token documentation] (https://auth0.com/docs/tokens/refresh-token). Your cURL request will look something like:

curl --request POST \ 
  --url 'https://xxxx.auth0.com/oauth/token' \ 
  --header 'content-type: application/json' \ 
  --data '{"grant_type": "password", "username": "xxxx", "password": "xxxx", "audience": "xxxx", "scope": "offline_access", "client_id": "xxxx", "client_secret": "xxxx"}'

The refresh token is optional as per [the specification] (https://tools.ietf.org/html/rfc6749#section-4.3) of the Resource Owner Password Credentials Flow and will always be returned if requested with the offline_access scope and if none of the [restrictions] (https://auth0.com/docs/tokens/refresh-token/current#restrictions) apply.

Thanks a lot Ricardo!
I thought “scope”: “offline_access” was only for /authorize end point.
Just added “scope”: “offline_access” and worked.
Regards.

Thanks a lot Ricardo!
I thought “scope”: “offline_access” was only for /authorize end point.
Just added “scope”: “offline_access” and worked.
Regards.

Hi, I just tried exactly this and do not get a refresh_token back in the response body

request body is like so:

{
    "grant_type": "password",
    "username": "kirsty.pollock@xxx.yyy",
    "password": "xxxxx",
    "audience": "https://xxx/api",
    "client_id": "xxxxxx",
    "client_secret": "xxxxx",
    "scope": "offline_access"
}

I get back

{
    "access_token": "xxxxx",
    "expires_in": 86400,
    "token_type": "Bearer"
}

what am I doing wrong?

@kirstyannepollock In your API settings, did you enable

Allow Offline Access ?

Awesome, that was it!!! Thank you.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.