How to refresh token using /oauth/token (non interactive)

pdcristofaro · February 3, 2018, 2:21am

Hi
I’m using this: curl --request POST \ –url ‘https://xxxx.auth0.com/oauth/token’ \ –header ‘content-type: application/json’ \ –data ‘{“grant_type”:“password”,“username”: “xxxx”,“password”: “xxxx”,“audience”: “xxxx”, “client_id”: “xxxx”, “client_secret”: “xxxx”}’ but I don receive refresh token in its response, what is missing?

In documentation at Resource Owner Password Flow
it says: “3. Auth0 validates the information and returns an access_token, and optionally a refresh_token.”
Why optionally? How I can indicate auth0 gives me refresh token always?

Thanks!

ricardo.batista · February 6, 2018, 8:05pm

To get a refresh token when using the [Resource Owner Password Grant] (Call Your API Using Resource Owner Password Flow) you must include the offline_access scope, as detailed in the [refresh token documentation] (Refresh Tokens). Your cURL request will look something like:

curl --request POST \ 
  --url 'https://xxxx.auth0.com/oauth/token' \ 
  --header 'content-type: application/json' \ 
  --data '{"grant_type": "password", "username": "xxxx", "password": "xxxx", "audience": "xxxx", "scope": "offline_access", "client_id": "xxxx", "client_secret": "xxxx"}'

The refresh token is optional as per [the specification] (RFC 6749: The OAuth 2.0 Authorization Framework) of the Resource Owner Password Credentials Flow and will always be returned if requested with the offline_access scope and if none of the [restrictions] (Refresh Tokens) apply.

pdcristofaro · February 7, 2018, 12:21am

Thanks a lot Ricardo!
I thought “scope”: “offline_access” was only for /authorize end point.
Just added “scope”: “offline_access” and worked.
Regards.

pdcristofaro · February 7, 2018, 12:21am

Thanks a lot Ricardo!
I thought “scope”: “offline_access” was only for /authorize end point.
Just added “scope”: “offline_access” and worked.
Regards.

kirstyannepollock · July 23, 2019, 8:40am

Hi, I just tried exactly this and do not get a refresh_token back in the response body

request body is like so:

{
    "grant_type": "password",
    "username": "kirsty.pollock@xxx.yyy",
    "password": "xxxxx",
    "audience": "https://xxx/api",
    "client_id": "xxxxxx",
    "client_secret": "xxxxx",
    "scope": "offline_access"
}

I get back

{
    "access_token": "xxxxx",
    "expires_in": 86400,
    "token_type": "Bearer"
}

what am I doing wrong?

mathiasconradt · July 23, 2019, 8:45am

@kirstyannepollock In your API settings, did you enable

Allow Offline Access ?

kirstyannepollock · July 23, 2019, 9:41am

Awesome, that was it!!! Thank you.

system · August 7, 2019, 9:45am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Non interactive client / Resource Owner Password / Refresh Token Help refresh-tokens , resource-owner-passw , non-interactive	2	4348	March 2, 2018
Cannot get refresh token on Resource Owner Password Grant Help refresh-tokens	4	4306	October 26, 2019
Get new Access Token using Refresh Token in resource owner password flow Help sessions , reusable-refresh-tokens	5	1962	August 8, 2023
Not returning Refresh Token from Password Flow Help	5	7210	July 25, 2019
Authentication Token endpoint not providing a Refresh Token? Help refresh-tokens	2	5015	March 2, 2018

How to refresh token using /oauth/token (non interactive)

Related Topics