How to use Auth0 Refresh Tokens in a WinForms app

fabs · January 27, 2021, 9:47am

I have a .Net 4.8 WinForms application using the Auth0.OidcClient.WinForms v3.1.4 library. When the app starts up, it uses the following code to bring up an Auth0 login screen, to allow the user to login, and grab an access token so that the app can call a Web API.

using Auth0.OidcClient;
using IdentityModel.OidcClient;
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
using System.Windows.Threading;

public static class Authenticate
    public static async Task<bool> Login()
    {
        var tcs = new TaskCompletionSource<LoginResult>();

        var thread = new Thread(delegate ()
        {
            var dispatcher = Dispatcher.CurrentDispatcher;
            dispatcher.InvokeAsync(async delegate
            {
                var clientOptions = new Auth0ClientOptions
                {
                    Domain = ConfigurationManager.AppSettings["Auth0:Domain"],
                    ClientId = ConfigurationManager.AppSettings["Auth0:ClientId"]
                };

                var client = new Auth0Client(clientOptions);

                var loginResult = await client.LoginAsync();

                bool IsError = loginResult.IsError;
                string Error = loginResult.Error;
                string IdentityToken = loginResult.IdentityToken;
                string AccessToken = loginResult.AccessToken;
                string RefreshToken = loginResult.RefreshToken;

                tcs.SetResult(loginResult);
                dispatcher.BeginInvokeShutdown(DispatcherPriority.Normal);
            });

            Dispatcher.Run();
        });
        thread.SetApartmentState(ApartmentState.STA);
        thread.Start();

        return tcs.Task.Result.IsError;
    }

That works perfectly. The user logs in and my app gets an access token. The problem is that after 10 minutes, the access token expires. I know I am supposed to use refresh tokens to keep the session alive, and not have the user re-login every 10 minutes, but I’m struggling to find any code only on how to achieve this. Even Auth0’s own sample WinForms apps don’t touch on refresh tokens.

In the code above, loginResult.RefreshToken is null. I read somewhere that I need to add an offline_accesss paramater to the scopes. So I did this:

var extraParameters = new Dictionary<string, string>
{
     {"scope", "offline_access"}
};

var loginResult = await client.LoginAsync(extraParameters);

But then loginResult.IsError is true, and loginResult.Error is “Error validating token response: Identity token is missing on token response.”

I have also tried this instead:

var clientOptions = new Auth0ClientOptions
{
    Domain = domain,
    ClientId = clientId,
    Scope = "offline_access"
};

This at least doesn’t give an error, but loginResult,.RefreshToken is still null. I’m not sure if that is supposed to be the case.

If anyone has any ideas/pointers on how to go about using a refresh token to extend the session past the access token’s 10-minute expiration, I would really appreciate it.

Thanks

damke · August 18, 2021, 11:33am

Hey I hope that you solved you problem, but I had a same problem when implementing refresh token for my project, solution is to set all possible scopes like this “openid profile email offline_access” not only “offline_acces”, then when you login you will get a refresh token in login response.

fabs · August 18, 2021, 12:45pm

Hey damle. I haven’t unfortunately. But to be honest, I haven’t really worked on it - because it is an app we use in-house, and only used by 2 users, I haven’t bothered much with it. But I will be requiring it to work soon, because I am working on another app that will be used by our clients, and has the same requirement.