No Refresh or ID Tokens

We are rather embarrassingly failing at step one of using Auth0 as an identity provider - getting our application to sign-in… Using the same OAuth client code against AWS Cognito provider and Auth0 gives a wildly different response - Cognito returns access, refresh and ID tokens whereas Auth0 only returns a rather short access token which doesn’t work when using it to hit our API (via AWS API Gateway).

I’m not too worried about the access token not working through API Gateway because I think we have bigger issues with a missing refresh and ID tokens.

This seems so basic so must be a misconfigured setting that we’ve done - I’m hoping someone can just say duh, you just need to do xyz. Any ideas?

The “short” access token sounds like it might be an opaque token, which is what you will get back from Auth0 if you do not specify an audience string in your request.

ID and refresh tokens are returned only if you request the associated scopes, openid and offline_access respectively.


Thanks for helping on this thread Mark!

Sorry to be dumb, is audience an Auth0 thing? We’re struggling to find many references to audience anywhere outside of Auth0 so getting a standard oauth client working is proving somewhat challenging! I thought that Auth0 was supposed to be a drop in replacement for other oauth providers.

This Auth0 PHP quickstart for example, doesn’t even mention audience:

Use of an audience is recommended by the OAuth specs and best practices, and I believe it is mandatory for OpenID Connect.


I don’t really know PHP but there are references to an audience field in the source code for that quickstart: