Issue retrieving refresh token in passwordless otp grant type

bartlomiej.rozanski · January 27, 2020, 4:33pm

Hello,
I’m trying to get refresh_token in passwordless flow, according to documentation I tried to add offline_access to scope in auth params and in other configurations, also I couldn’t find any answer that would help me get it properly.

When an authentication is performed with the offline_access scope included, it will return a Refresh Token that can be used to request a new user token, without forcing the user to perform authentication again.

My requests are as follows:
Generating otp:

curl --request POST --url 'https://redacted.eu.auth0.com/passwordless/start' --header 'content-type: application/json'  --data '{"client_id": "redacted", "client_secret": "redacted", "connection": "sms", "phone_number": "+redacted ", "send": "code", "authParams":{"scope":"offline_access"}}'

Confirming otp:

curl --request POST --url 'https://redacted.eu.auth0.com/oauth/token' --header 'content-type: application/json'  --data '{"client_id": "redacted", "client_secret": "redacted", "grant_type": "http://auth0.com/oauth/grant-type/passwordless/otp", "realm": "sms", "username": "+redacted", "otp": "8115"}'

Response doesn’t contain refresh_token:

{"access_token":"redacted","id_token":"redacted","scope":"openid profile email address phone","expires_in":86400,"token_type":"Bearer"}

what am I missing? I doubt that auth0 api is broken rather documentation is unclear at this point, but correct me if I’m wrong

nicolas_sabena · January 27, 2020, 7:38pm

What type of application are you using? SPA, Regular web app or Native?

bartlomiej.rozanski · January 27, 2020, 8:30pm

I’ve started by Native, it didn’t work and so I tried Regular Web Application with the same result.

nicolas_sabena · January 27, 2020, 8:39pm

Can you try adding openid (and email profile if you require the additional information) to the scope=offline_access in the first request?
In the token response you are getting "scope":"openid profile email", which suggests that the server is defaulting to openid profile email address phone for some reason, but maybe since there’s no openid scope in the request is not creating the refresh token.

bartlomiej.rozanski · January 28, 2020, 9:06am

scope list in authParams from start request doesn’t reflect in token response:

curl --request POST --url 'https://REDACTED.eu.auth0.com/passwordless/start' --header 'content-type: application/json'  --data '{"client_id": "REDACTED", "client_secret": "REDACTED", "authParams":{"scope":"openid phone offline_access"}, "connection": "sms", "phone_number": "+REDACTED", "send": "code"}'
{"_id":"5e26f231dd1db51a85fc75bf","phone_number":"+REDACTED","phone_verified":false,"request_language":null}

curl --request POST --url 'https://REDACTED.eu.auth0.com/oauth/token' --header 'content-type: application/json'  --data '{"client_id": "REDACTED", "client_secret": "REDACTED", "grant_type": "http://auth0.com/oauth/grant-type/passwordless/otp", "realm": "sms", "username": "+REDACTED", "otp": "6193"}'
{"access_token":"REDACTED","id_token":"REDACTED","scope":"openid profile email address phone","expires_in":86400,"token_type":"Bearer"}

I’ve also following grant types set up in connected app:

nicolas_sabena · January 28, 2020, 9:42pm

Is it possible that you are altering the scope within a rule? Where are the address phone scopes being added? Are you removing offline_access as a side effect maybe?