I have a native app in Auth0, using the PKCE flow. When I call
Auth0.authorize() from my Ionic app, using Auth0.js, I’m getting an access token and an ID token, but no refresh token.
I am passing the
offline_access scope to
Auth0.authorize() (as well as
openid profile). The API I’m using has “Allow Offline Access” enabled. I have no rules defined.
The app in Auth0 has the following grants enabled in the advanced settings: Implicit, Authorization Code, Refresh Token.
In my config for Auth0 in my client app, I’m setting:
audience: 'xxxxxxxxx', /* My API identifier */
responseType: 'token id_token'
My redirect callback is receiving hash params like:
access_token=xxxxx&scope=openid%20profile%20offline_access&expires_in=7200&token_type=Bearer&state=xxx&id_token=xxxxx but no refresh_token.
What am I missing?
I’m not sure about the refresh token issue and can’t help you there. But my use case is similar to yours and I noticed something you may have overlooked.
Having the access_token returned in the url might not be safe. Other community members have posted about it.
My solution ended up being using checkSession() to get an access token after my initial authorization.
Sorry for adding to your problems rather than solving them but I thought I should say something.
As for refresh tokens, I know the responseType field decides what you get back. token === access_token and id_token is obvious. Perhaps there is a value you can enter to get the refresh_token?
Edit: Nevermind, I just saw the docs mention offline_access in scope should give you the refresh token.
@Adam-E, Thanks for jumping in on this.
For your initial question, can you confirm your application is setup as a native app and not either
default app or toggled to
It’s a native app. I’ve moved to another solution in the meantime, that doesn’t use Auth0.js.