Ready to post? First, try searching for your answer.
We are using refresh token rotation, and we would like to return the refresh token expiration date as a custom claim in the accessToken.
In the documentation it’s mentioned that it’s possible to get the refresh token inside the on post login action, however in our case it’s always returned as null.
Is there any further configuration needed?
Code :
exports.onExecutePostLogin = async (event, api) => {
// Here event.refresh_token is always null!!
const refreshTokenExpiration = event.refresh_token?.expires_at;
if(refreshTokenExpiration != null) {
// Add refresh token expiration as a custom claim
api.accessToken.setCustomClaim("refreshTokenExpiresAt", refreshTokenExpiration);
}
}
Can you confirm that you have implemented refresh token exchange in your application(s)? The event.refresh_token object is populated by refresh token exchange flows: Use Refresh Token Rotation
Actually, we are using the flutter auth0 official sdk, and using the CrendentialManager to login and refresh the token. So I suppose yes the exchange is implemented?
As we are able to perform refreshes in the app.
Thanks for confirming! I reread the documentation and it states that event.refresh_token provides relevant information for existing refresh_tokens. It could be that there are no existing refresh tokens for that user at the time of action execution. Can you check?
Also, can you confirm that your API in Auth0 has offline_access enabled?
We double checked that the offline access is enabled, and that in the app we do have a refresh token, but still have a null refresh token in the action.
I reached out internally and confirmed that accessing the Session and Refresh Token APIs is only accessible to Enterprise customers. Therefore, it is not possible on a Free account to use event.refresh_token in an action, unfortunately.
First, try searching for your answer.