I am currently using the Universal login flow along with the authorization code flow to login a user. After authorizing the user via the universal login page, I receive the authorization code which I then send to my API. My API then calls the oauth/token endpoint to exchange the authorization code for a access token and a refresh token. The response contains the access token only, along with the expires_in and token type fields, but the refresh token is missing.
I included the offline access scope, I have enabled OIDC conformant along with refresh token rotation, refresh token and authorization code grant types.
For information I am using a SPA as frontend, which is a Blazor application. And my API is registered as a Regular Web APP, which is a .net core web API. I am using .NET 8.
Hello @olaskole4405,
Welcome to the Auth0 community!
What might be causing your issue is that you registered your API as a Regular Web APP. You can try registering it as an API: Register APIs.
After doing that, you should select your API and go to settings. There, you have to scroll down to the bottom of the page to Access Settings and make sure Allow Offline Access is toggled on.
The following Knowledge Solution explains using Refresh Tokens for a SPA: How to Use Refresh Tokens in a SPA?
For more information about Refresh Tokens make sure to check the documentation: Refresh Tokens
I hope this was helpful and don’t hesitate to ask more questions.
Thanks,
Tudor
1 Like