Migrating From v6 to v7

msdiego2k · June 23, 2020, 7:15am

Hi,
our App uses a refresh token which is valid for multiple years. After updating to v7 the refresh token is invalid; exception:
ID token is required but missing. System.Exception Auth0.AuthenticationApi.Tokens.IdTokenValidationException

For us it’s not an option to logout the user and trigger a re-login.

I have tried multiple things to get the refresh token from v6 working in v7, but it didn’t work.
So my question is: How would an upgrade strategy for the refresh token look like?

Current v6 Code:

public async Task<AccessToken> GetAccessTokenAsync(string refreshtoken)
{
    var accessToken = new AccessToken();
    try
    {
        var client = CreateAuthClient();
        var token = await client.GetTokenAsync(new RefreshTokenRequest()
        {
            Audience = _options.CustomerApp.Audience,
            ClientId = _options.CustomerApp.ClientId,
            ClientSecret = _options.CustomerApp.ClientSecret,
            RefreshToken = refreshtoken,
        });
        accessToken.Token = token.AccessToken;
        accessToken.ExpiryDate = DateTime.Now.AddSeconds(token.ExpiresIn - 60);
        return accessToken;
    }
    catch (ApiException ex)
    {
        if (ex.ApiError.Error == "invalid_grant")
        {
            return accessToken;
        }
        throw;
    }
}

public async Task<AccessTokenResponse> AuthCustomerAsync(string phone, string code, CancellationToken cancelationToken)
{
var client = CreateAuthClient();

var token = await client.GetTokenAsync(new ResourceOwnerTokenRequest
{
    Username = GenerateEmail(phone),
    Password = GeneratePassword(code),
    ClientId = _options.CustomerApp.ClientId,
    ClientSecret = _options.CustomerApp.ClientSecret,
    Audience = _options.CustomerApp.Audience,
    Scope = "offline_access",
}).ConfigureAwait(false);

return token;

}

konrad.sopala · June 23, 2020, 10:14am

Having a refresh token valid for a couple of years is definitely not a secure option. Can you tell me more about what part of our stack you use? Any docs , quickstarts? Thanks!

msdiego2k · June 23, 2020, 10:57am

In the .Net 3.1 backend application we are using these nuget packages:
Auth0.AuthenticationApi, Auth0.ManagementApi
Does that help you?
Regarding security we had to make some compromises to meet our usability goals …

Furthermore, I have tried a couple of things to generate a refresh token with v6 which is also valid in v7, but I had no luck. Is this possible?

konrad.sopala · June 23, 2020, 11:11am

I don’t have that much of .NET experience so let me discuss it with my colleagues. I’ll get back to you soon!

msdiego2k · June 29, 2020, 11:45am

Something new about that? Thanks!

msdiego2k · July 6, 2020, 2:46pm

Okay I guess it’s not possible to use my v6 refresh tokens in v7 and in general it’s also not possible to generate refresh tokens in v6 which are valid in v7.

system · September 11, 2020, 11:49am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to refresh tokens, ID token is required but missing Help sessions , rotating-refresh-tokens	0	1385	April 4, 2023
Null refresh token Help	3	4524	January 27, 2024
Android - How to renew id token with refresh token? Help android , id_token , oidc-conformant , refresh-tokens	6	9102	August 20, 2019
ID token is required but missing Help	3	5055	March 16, 2020
Missing id_token and refresh_token Help	2	3538	December 17, 2018

Migrating From v6 to v7

Related topics