How to refresh token using /oauth/token (non interactive)

pdcristofaro · February 3, 2018, 2:21am

Hi
I’m using this: curl --request POST \ –url ‘https://xxxx.auth0.com/oauth/token’ \ –header ‘content-type: application/json’ \ –data ‘{“grant_type”:“password”,“username”: “xxxx”,“password”: “xxxx”,“audience”: “xxxx”, “client_id”: “xxxx”, “client_secret”: “xxxx”}’ but I don receive refresh token in its response, what is missing?

In documentation at Resource Owner Password Flow
it says: “3. Auth0 validates the information and returns an access_token, and optionally a refresh_token.”
Why optionally? How I can indicate auth0 gives me refresh token always?

Thanks!

ricardo.batista · February 6, 2018, 8:05pm

To get a refresh token when using the [Resource Owner Password Grant] (Call Your API Using Resource Owner Password Flow) you must include the offline_access scope, as detailed in the [refresh token documentation] (Refresh Tokens). Your cURL request will look something like:

curl --request POST \ 
  --url 'https://xxxx.auth0.com/oauth/token' \ 
  --header 'content-type: application/json' \ 
  --data '{"grant_type": "password", "username": "xxxx", "password": "xxxx", "audience": "xxxx", "scope": "offline_access", "client_id": "xxxx", "client_secret": "xxxx"}'

The refresh token is optional as per [the specification] (RFC 6749: The OAuth 2.0 Authorization Framework) of the Resource Owner Password Credentials Flow and will always be returned if requested with the offline_access scope and if none of the [restrictions] (Refresh Tokens) apply.

pdcristofaro · February 7, 2018, 12:21am

Thanks a lot Ricardo!
I thought “scope”: “offline_access” was only for /authorize end point.
Just added “scope”: “offline_access” and worked.
Regards.

pdcristofaro · February 7, 2018, 12:21am

Thanks a lot Ricardo!
I thought “scope”: “offline_access” was only for /authorize end point.
Just added “scope”: “offline_access” and worked.
Regards.

kirstyannepollock · July 23, 2019, 8:40am

Hi, I just tried exactly this and do not get a refresh_token back in the response body

request body is like so:

{
    "grant_type": "password",
    "username": "kirsty.pollock@xxx.yyy",
    "password": "xxxxx",
    "audience": "https://xxx/api",
    "client_id": "xxxxxx",
    "client_secret": "xxxxx",
    "scope": "offline_access"
}

I get back

{
    "access_token": "xxxxx",
    "expires_in": 86400,
    "token_type": "Bearer"
}

what am I doing wrong?

mathiasconradt · July 23, 2019, 8:45am

@kirstyannepollock In your API settings, did you enable

Allow Offline Access ?

kirstyannepollock · July 23, 2019, 9:41am

Awesome, that was it!!! Thank you.

Topic		Replies	Views
Cannot get refresh token on Resource Owner Password Grant Get Help refresh-tokens	4	4401	October 26, 2019
Non interactive client / Resource Owner Password / Refresh Token Archived content refresh-tokens , resource-owner-passw , non-interactive	2	4378	March 2, 2018
Refresh Token not getting returned in auth0-nodeJS SDK Get Help refresh-tokens	7	2377	July 1, 2022
/outh/token api missing refresh_token Get Help	4	3648	October 4, 2019
Getting a refresh_token from the server side Get Help apis , application	4	144	February 6, 2025

How to refresh token using /oauth/token (non interactive)

Related topics