No refresh token when using Passwordless/OTP grant through SMS

Help
, ,
1

Hi!

I’m trying to setup the passwordless/otp flow for my react native app and everything works except for the refresh tokens which are not included in the response from Auth0 API.

These are the exact requests:

POST: https://{AUTH0_DOMAIN}/passwordless/start
{
  "client_id": "My Id",
  "connection": "sms",
  "phone_number": "+46XXXXXXXX", 
  "send": "code", 
  "authParams": { 
    "scope": "openid profile email offline_access"
  }
}

POST: https://{AUTH0_DOMAIN}/oauth/token
{
  "grant_type" : "http://auth0.com/oauth/grant-type/passwordless/otp",
  "client_id": "My Id",
  "username":"+46XXXXXXXX", 
  "otp": "XXXX",
  "realm": "sms", 
  "audience" : "https://{OUR_DOMAIN}.se",
  "scope": "openid profile email offline_access" 
}

auth0
auth01223×674 36.1 KB

Does anyone know how to include the refresh token in the response? I’m currently getting the following response:

{
"access_token": "eyJhbGciOiJSUzI...",
"id_token": "eyJhbGciOiJSUzI...",
"scope": "openid profile email",
"expires_in": 86400,
"token_type": "Bearer"
}
2

I am dealing with the same issue, do we have a way to implement passwordless sms/email otp codes and refresh tokens? If found that some posts that said that is possible and other that says it is not possible.

If is possible please tell us how we can achieve it. If not, is there a way to implement similar passwordless feature without having the users to login every single day?

3

Is there any update here? After implementing passwordless auth, I’m realizing users must login with SMS every day. This isn’t going to work. Are there options to keep users signed in for 30 days?

4

This post helped me finally get a refresh token when using SMS OTP.

5

Hi ,

I have been trying to get Passwordless work using SMS OTP (Using Twilio for the same). This is my request…

https://xxx.us.auth0.com/passwordless/start

{
“client_id”: “xxxxxxxxxxxxx”,
“connection”: “sms”,
“phone_number”: “+91961…”, //set for connection=sms
“send”: “code” //if left null defaults to link
}

This gives back a 400 bad request. I have looked at the documentation and this seems to be good. Anyone has faced this kind of issue before??

7

what post helped you?