I’ve implemented PKCE flow on a SPA (web), but I’m not getting the refresh_token from the token endpoint.
I’m doing the flow myself, not using the auth0.js.
I created a “native” app in the dashboard and first used the default “Auth0 Management API” API as audience, but I’ve read in the docs that I should enable the “Allow Offline Access” checkbox and that API didn’t have it, so I created a new API and enabled that checkbox, but there is no difference.
The PKCE flow works fine, I log in on my Auth0 app, get the code and use it to post to the token endpoint, but the endpoint returns
access_token: “theaccesstoken”
id_token: “theidtoken”
scope: “openid profile email offline_access”
expires_in: 86400
token_type: “Bearer”
But no refresh_token
My post to the token endpoint looks like:
grant_type: authorization_code
client_id: (my client id)
code_verifier: (the verifier)
code: (code I got after log in)
redirect_uri: http://localhost:8100
any ideas?
