Auth0 Home Blog Docs

Not returning Refresh Token from Password Flow


#1

I am sending a request to /oauth/token with

grant_type password
clientid (client has refresh token password grant)
username
password
scope openid email offline_access
audience (api allows offline access)

I get back
access_token
id_token
scope openid email

Can anyone thing of something I am missing. I would expect a refresh token to be returned as well.

Thanks!


#2

According to the doc:

To refresh your token, using the refresh_token you already got during authorization, make a POST request to the /oauth/token endpoint in the Authentication API, using grant_type=refresh_token


#3

Agreed and I believe I have configured everything properly however the oauth/token endpoint doesn’t return a refresh_token. I do notice the scope is being returned without the offline_access so it is being stripped out for some reason I believe. The client has the grant for offline_access and the api has the feature turned on.
Request


Response
image


#4

According to the documentation, order to get the refresh token the grant_type should be refresh_token but in the Postman query above you’re using password


#5

It ended up being a rule that was stripping the offline_access scope on the original /token call. My fault. Thanks for the help! Moral of the story, if you are getting interesting behavior check your rules!

The forum wouldn’t let me post twice in a row so sorry you wasted your time.


#6

Hi everyone, I am new here and working with Cyberops Infosec.
Best regards
Cyberops