Auth0 Home Blog Docs

How to refresh token using /oauth/token (non interactive)

refresh-tokens
refresh_token

#1

Hi
I’m using this: curl --request POST \ --url ‘https://xxxx.auth0.com/oauth/token’ \ --header ‘content-type: application/json’ \ --data ‘{“grant_type”:“password”,“username”: “xxxx”,“password”: “xxxx”,“audience”: “xxxx”, “client_id”: “xxxx”, “client_secret”: “xxxx”}’ but I don receive refresh token in its response, what is missing?

In documentation at https://auth0.com/docs/api-auth/grant/password
it says: "3. Auth0 validates the information and returns an access_token, and optionally a refresh_token."
Why optionally? How I can indicate auth0 gives me refresh token always?

Thanks!


#2

To get a refresh token when using the [Resource Owner Password Grant] (https://auth0.com/docs/api-auth/tutorials/password-grant#ask-for-a-token) you must include the offline_access scope, as detailed in the [refresh token documentation] (https://auth0.com/docs/tokens/refresh-token). Your cURL request will look something like:

curl --request POST \ 
  --url 'https://xxxx.auth0.com/oauth/token' \ 
  --header 'content-type: application/json' \ 
  --data '{"grant_type": "password", "username": "xxxx", "password": "xxxx", "audience": "xxxx", "scope": "offline_access", "client_id": "xxxx", "client_secret": "xxxx"}'

The refresh token is optional as per [the specification] (https://tools.ietf.org/html/rfc6749#section-4.3) of the Resource Owner Password Credentials Flow and will always be returned if requested with the offline_access scope and if none of the [restrictions] (https://auth0.com/docs/tokens/refresh-token/current#restrictions) apply.


#3

Thanks a lot Ricardo!
I thought “scope”: “offline_access” was only for /authorize end point.
Just added “scope”: “offline_access” and worked.
Regards.


#4

Thanks a lot Ricardo!
I thought “scope”: “offline_access” was only for /authorize end point.
Just added “scope”: “offline_access” and worked.
Regards.