How to refresh token using /oauth/token (non interactive)

pdcristofaro · February 3, 2018, 2:21am

Hi
I’m using this: curl --request POST \ –url ‘https://xxxx.auth0.com/oauth/token’ \ –header ‘content-type: application/json’ \ –data ‘{“grant_type”:“password”,“username”: “xxxx”,“password”: “xxxx”,“audience”: “xxxx”, “client_id”: “xxxx”, “client_secret”: “xxxx”}’ but I don receive refresh token in its response, what is missing?

In documentation at Resource Owner Password Flow
it says: “3. Auth0 validates the information and returns an access_token, and optionally a refresh_token.”
Why optionally? How I can indicate auth0 gives me refresh token always?

Thanks!

ricardo.batista · February 6, 2018, 8:05pm

To get a refresh token when using the [Resource Owner Password Grant] (Call Your API Using Resource Owner Password Flow) you must include the offline_access scope, as detailed in the [refresh token documentation] (Refresh Tokens). Your cURL request will look something like:

curl --request POST \ 
  --url 'https://xxxx.auth0.com/oauth/token' \ 
  --header 'content-type: application/json' \ 
  --data '{"grant_type": "password", "username": "xxxx", "password": "xxxx", "audience": "xxxx", "scope": "offline_access", "client_id": "xxxx", "client_secret": "xxxx"}'

The refresh token is optional as per [the specification] (RFC 6749: The OAuth 2.0 Authorization Framework) of the Resource Owner Password Credentials Flow and will always be returned if requested with the offline_access scope and if none of the [restrictions] (Refresh Tokens) apply.

pdcristofaro · February 7, 2018, 12:21am

Thanks a lot Ricardo!
I thought “scope”: “offline_access” was only for /authorize end point.
Just added “scope”: “offline_access” and worked.
Regards.

pdcristofaro · February 7, 2018, 12:21am

Thanks a lot Ricardo!
I thought “scope”: “offline_access” was only for /authorize end point.
Just added “scope”: “offline_access” and worked.
Regards.

kirstyannepollock · July 23, 2019, 8:40am

Hi, I just tried exactly this and do not get a refresh_token back in the response body

request body is like so:

{
    "grant_type": "password",
    "username": "kirsty.pollock@xxx.yyy",
    "password": "xxxxx",
    "audience": "https://xxx/api",
    "client_id": "xxxxxx",
    "client_secret": "xxxxx",
    "scope": "offline_access"
}

I get back

{
    "access_token": "xxxxx",
    "expires_in": 86400,
    "token_type": "Bearer"
}

what am I doing wrong?

mathiasconradt · July 23, 2019, 8:45am

@kirstyannepollock In your API settings, did you enable

Allow Offline Access ?

kirstyannepollock · July 23, 2019, 9:41am

Awesome, that was it!!! Thank you.

system · August 7, 2019, 9:45am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cannot get refresh token on Resource Owner Password Grant Help refresh-tokens	4	4305	October 26, 2019
Get new Access Token using Refresh Token in resource owner password flow Help sessions , reusable-refresh-tokens	5	1940	August 8, 2023
Not returning Refresh Token from Password Flow Help	5	7207	July 25, 2019
Unable to Get Refresh Token Help	2	2761	December 20, 2019
Issue retrieving refresh token in passwordless otp grant type Help	5	3585	January 28, 2020

How to refresh token using /oauth/token (non interactive)

Related Topics