Invalid access token returned when using refresh token

alan.stead · October 7, 2024, 4:45pm

To make sure my configuration is clear:

<Auth0Provider
      domain={auth0data.domain}
      clientId={auth0data.clientId}
      authorizationParams={{
        audience: auth0data.audience,
      }}
>

Here is my client side call to authorize when I hit the login button, it includes the code challenge and setting the scope to include offline_access:

'https://'+ auth0data.domain + '/authorize?' +
      'response_type=code&' +
      'client_id='+ auth0data.clientId + '&' +
      'redirect_uri='+ auth0data.redirectURL + '&' +
      'code_challenge='+ codeChallenge + '&' +
      'code_challenge_method=S256&' +
      'scope=offline_access openid profile';

My callback captures the authorization code and sends it to the back end, along with the code verifier.
const params = new URLSearchParams(location.search);
const authorizationCode = params.get(‘code’);
const response = await axios.post(baseUrl + channels.AUTH0_GET_TOKENS,
{ authorizationCode: authorizationCode, codeVerifier: codeVerifier });

Back end then makes the call to get the tokens:

const tokenResponse = await `https://${process.env.REACT_APP_AUTH0_DOMAIN}/oauth/token`, {
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
           grant_type: 'authorization_code',
           client_id: process.env.REACT_APP_AUTH0_CLIENT_ID,
           client_secret: process.env.REACT_APP_AUTH0_CLIENT_SECRET,
           code: authorizationCode,
           redirect_uri: process.env.REACT_APP_AUTH0_CALLBACK_URL,
           code_verifier: codeVerifier,
    }),
}

I wasn’t sure how to store the access token back on the client side. So once the back end returns back to the client side, I was setting the client side authentication as follows. This seems to work, but I’m sure there is a better way.

loginWithRedirect({
  authorizationParams: {
    response_type: 'token',
    client_id: auth0data.clientId,
    redirect_uri: `${window.location.origin}`,
    audience: auth0data.audience,
    scope: 'read:current_user',
  },
});

When I detect that an access token has expired, I

`https://${process.env.REACT_APP_AUTH0_DOMAIN}/oauth/token`, {
  grant_type: 'refresh_token',
  client_id: process.env.REACT_APP_AUTH0_CLIENT_ID,
  client_secret: process.env.REACT_APP_AUTH0_CLIENT_SECRET,
  refresh_token: refreshToken,
}

Topic		Replies	Views
Unknown or invalid refresh token Get Help auth0 , refresh-tokens , nextjs	2	3404	July 22, 2022
Get new Access Token using Refresh Token in resource owner password flow Get Help sessions , reusable-refresh-tokens	5	2154	August 8, 2023
NextJS Auth0 getAccessToken with refresh token only work for the first time Get Help apis , application	1	374	February 12, 2025
NextJS-Auth0 Refresh Token setup Get Help sessions , rotating-refresh-tokens	3	2227	December 5, 2024
Refresh token doesn't triggered automatically Get Help login-experience , new-universal-login-experience	1	1019	September 14, 2023

Invalid access token returned when using refresh token

Related topics