I am developing an Ionic Angular application that uses Auth0, but I am running into issues with the flow of the application and login process.
This application will need to have access to all of our APIs, but we only know which one is being requested after the user authenticates and enters their Organization name. We can then use the information from the ID token to build the audience and API endpoint that needs to be called.
I cannot put the audience into the Angular Auth0 configuration since I don’t know it at startup and I cannot change the startup configuration without completing reloading the app. I can pass audience to the getAccessTokensSilently method, but then the refresh tokens are not working anymore and throwing a Missing Refresh Token error.
Please let me know if you need further information about this
When using the Angular SDK’s getAccessTokenSilent() method, it fetches a new access token and returns the response from the /oauth/token endpoint, omitting the refresh token. This is mentioned in the Angular SDK’s API Reference. This method would fit your use-case for getting a new access token with passing an audience.
The Refresh Token might not work here since it depends on the initial request’s parameters and cannot be changed when obtaining a new access token.
I can resolve this and still keep the refresh token by setting both useRefreshTokens and useRefreshTokensFallback to true in the initial configuration, but is there another way to still use the refresh token? What happens if I don’t use refresh tokens?
That’s great news that you managed to resolve this and retain the refresh tokens.
As for your question, it won’t be possible to use the refresh tokens with a new audience to get a new access token for the new API.
Typically, the audience specified in your initial request will persist for subsequent calls to get a new access token with your refresh tokens.
If you do not use your refresh tokens, there shouldn’t be an issue. If so, it might be better not to request them at all so that it eliminates the potential for a bad actor to steal and use them. Or, if you prefer, you could always Revoke Refresh Tokens later on.
Unfortunately, it’s not possible to set an audience using a Pre-User or Post-User registration action.
You will need to specify the audience in the login request for it to create a new ID or access tokens. Or, as mentioned previously, you can specify them in a silent authentication request. Once the user grants consent for that API’s scopes and permissions, you can then add the offline_access scope to begin using refresh tokens.