Auth0 Home Blog Docs

In Mobile Application - We need id_token and refresh_token during Social Login. There is also a requirement to get the latest id_token using the refresh_token.

social
refresh_token

#1

In Mobile Application - We need id_token and refresh_token during Social Login. There is also a requirement to get the latest id_token using the refresh_token.

  1. Since We are using Non-OIDC client we get refresh_token and id_token during Social Login. But we are not getting the latest id_token using the refresh_token - only latest access_token is returned.

https://community.auth0.com/questions/1226/how-to-renew-id-token
Also, we cannot use /delegation endpoint as mentioned in the above link as it is deprecated in newer clients.

  1. So we are forced to move to OIDC client.
    https://auth0.com/docs/api-auth/tutorials/adoption/oidc-conformant
    When we move to OIDC client, as mentioned in the above documentation we are not getting refresh_token during Social Login.

We are caught in-between and we need a solution to get latest id_token using refresh_token during Social Login.


#2

Based on the information provided I’m assuming the issue with OIDC is the lack of support for refresh tokens when using the implicit grant. If that’s the case you should be using silent authentication to obtain refreshed tokens in a browser-based web application. If you have a specific issue with silent authentication then you should update your question or if I understood incorrectly also clarify your scenario, but the lack of refresh tokens in implicit grant is unavoidable as refresh tokens are not suitable for browser-based applications.


#3

@jmangelo Yes, the issue with OIDC is the lack of support for refresh tokens when using the implicit grant. We cannot go with silent authentication as we are using native mobile application that does a browser-based social login. Is there a solution for native mobile applications for the same issue rather than browser-based web applications.


#4

@jmangelo Yes, the issue with OIDC is the lack of support for refresh tokens when using the implicit grant. We cannot go with silent authentication as we are using native mobile application that does a browser-based social login. Is there a solution for native mobile applications for the same issue rather than browser-based web applications.


#5

A native application should not be using implicit grant, it should use an authorization code grant with PKCE which would allow for the refresh token to be issued. See: https://auth0.com/docs/api-auth/grant/authorization-code-pkce


#6

In Mobile Application - We need id_token and refresh_token during Social Login. There is also a requirement to get the latest id_token using the refresh_token.

Update - (Solved)

Authorisation code grant with PKCE + OIDC (passing an audience during social login) = refresh_token.

We are also able to refresh the id_token using the obtained refresh_token.

Thanks @jmangelo


#7