Hi
I’m using this: curl --request POST \ –url ‘https://xxxx.auth0.com/oauth/token’ \ –header ‘content-type: application/json’ \ –data ‘{“grant_type”:“password”,“username”: “xxxx”,“password”: “xxxx”,“audience”: “xxxx”, “client_id”: “xxxx”, “client_secret”: “xxxx”}’ but I don receive refresh token in its response, what is missing?
In documentation at Resource Owner Password Flow
it says: “3. Auth0 validates the information and returns an access_token, and optionally a refresh_token.”
Why optionally? How I can indicate auth0 gives me refresh token always?
To get a refresh token when using the [Resource Owner Password Grant] (Call Your API Using Resource Owner Password Flow) you must include the offline_access scope, as detailed in the [refresh token documentation] (Refresh Tokens). Your cURL request will look something like:
The refresh token is optional as per [the specification] (RFC 6749: The OAuth 2.0 Authorization Framework) of the Resource Owner Password Credentials Flow and will always be returned if requested with the offline_access scope and if none of the [restrictions] (Refresh Tokens) apply.