I have a native app in Auth0, using the PKCE flow. When I call Auth0.authorize() from my Ionic app, using Auth0.js, I’m getting an access token and an ID token, but no refresh token.
I am passing the offline_access scope to Auth0.authorize() (as well as openid profile). The API I’m using has “Allow Offline Access” enabled. I have no rules defined.
The app in Auth0 has the following grants enabled in the advanced settings: Implicit, Authorization Code, Refresh Token.
In my config for Auth0 in my client app, I’m setting:
...,
audience: 'xxxxxxxxx', /* My API identifier */
responseType: 'token id_token'
My redirect callback is receiving hash params like: access_token=xxxxx&scope=openid%20profile%20offline_access&expires_in=7200&token_type=Bearer&state=xxx&id_token=xxxxx but no refresh_token.
I’m not sure about the refresh token issue and can’t help you there. But my use case is similar to yours and I noticed something you may have overlooked.
Having the access_token returned in the url might not be safe. Other community members have posted about it.
My solution ended up being using checkSession() to get an access token after my initial authorization.
Sorry for adding to your problems rather than solving them but I thought I should say something.
As for refresh tokens, I know the responseType field decides what you get back. token === access_token and id_token is obvious. Perhaps there is a value you can enter to get the refresh_token?
Edit: Nevermind, I just saw the docs mention offline_access in scope should give you the refresh token.