Migrating From v6 to v7

msdiego2k · June 23, 2020, 7:15am

Hi,
our App uses a refresh token which is valid for multiple years. After updating to v7 the refresh token is invalid; exception:
ID token is required but missing. System.Exception Auth0.AuthenticationApi.Tokens.IdTokenValidationException

For us it’s not an option to logout the user and trigger a re-login.

I have tried multiple things to get the refresh token from v6 working in v7, but it didn’t work.
So my question is: How would an upgrade strategy for the refresh token look like?

Current v6 Code:

public async Task<AccessToken> GetAccessTokenAsync(string refreshtoken)
{
    var accessToken = new AccessToken();
    try
    {
        var client = CreateAuthClient();
        var token = await client.GetTokenAsync(new RefreshTokenRequest()
        {
            Audience = _options.CustomerApp.Audience,
            ClientId = _options.CustomerApp.ClientId,
            ClientSecret = _options.CustomerApp.ClientSecret,
            RefreshToken = refreshtoken,
        });
        accessToken.Token = token.AccessToken;
        accessToken.ExpiryDate = DateTime.Now.AddSeconds(token.ExpiresIn - 60);
        return accessToken;
    }
    catch (ApiException ex)
    {
        if (ex.ApiError.Error == "invalid_grant")
        {
            return accessToken;
        }
        throw;
    }
}

public async Task<AccessTokenResponse> AuthCustomerAsync(string phone, string code, CancellationToken cancelationToken)
{
var client = CreateAuthClient();

var token = await client.GetTokenAsync(new ResourceOwnerTokenRequest
{
    Username = GenerateEmail(phone),
    Password = GeneratePassword(code),
    ClientId = _options.CustomerApp.ClientId,
    ClientSecret = _options.CustomerApp.ClientSecret,
    Audience = _options.CustomerApp.Audience,
    Scope = "offline_access",
}).ConfigureAwait(false);

return token;

}

konrad.sopala · June 23, 2020, 10:14am

Having a refresh token valid for a couple of years is definitely not a secure option. Can you tell me more about what part of our stack you use? Any docs , quickstarts? Thanks!

msdiego2k · June 23, 2020, 10:57am

In the .Net 3.1 backend application we are using these nuget packages:
Auth0.AuthenticationApi, Auth0.ManagementApi
Does that help you?
Regarding security we had to make some compromises to meet our usability goals …

Furthermore, I have tried a couple of things to generate a refresh token with v6 which is also valid in v7, but I had no luck. Is this possible?

konrad.sopala · June 23, 2020, 11:11am

I don’t have that much of .NET experience so let me discuss it with my colleagues. I’ll get back to you soon!

msdiego2k · June 29, 2020, 11:45am

Something new about that? Thanks!

msdiego2k · July 6, 2020, 2:46pm

Okay I guess it’s not possible to use my v6 refresh tokens in v7 and in general it’s also not possible to generate refresh tokens in v6 which are valid in v7.