Oauth/token not returning refresh token

I have a 3rd Party application (web application) set up and am currently unable to get the refresh token in my /token call after completing an Authorization Code Flow.

I’m kicking it off correctly I believe (indicating offline_access in scopes):

https://my-tenet/authorize?response_type=code&client_id=my-client-id&redirect_uri=http://localhost:4200/dashboard&audience=my-audience&scope=offline_access read:app create:app&state=STATE&prompt=login

Then when requesting oauth/token on return:

https://my-tenet/oauth/token?grant_type=authorization_code&client_id=my-client-id&client_secret=my-client-secret&code=returned-code&redirect_uri=http://localhost:4200/dashboard

I still only get access_token:

{“access_token”:“eyJhbGci…”,“scope”:“create:app read:app offline_access”,“expires_in”:2592000,“token_type”:“Bearer”}

My 3rd Party application has the Refresh Token grant and is OIDC Conforment turned on. The API it is accessing as the audience does have Allow Offline Access turned on as well. I also have a rule set up, but all it’s doing is adding custom claims on the access_token so I think I’m safe there.

Anyone have any other leads I could look into?

If you do not get back a new refresh token , then it means your existing refresh token will continue to work when the new access token expires.

I’ve never received a refresh token in the first place or have ever seen a “refresh_token” property in my /oauth/token response…

Just pinging for visibility in case anyone else has any ideas? Otherwise I’ll have to continue playing with settings…

There are two things you need to do from what I know.

1. Include scope “offline_access”
2. Enable offline access on your api in the Auth0 Dashboard.

Check out this doc: Refresh Tokens

Good Luck!
Tom

Thanks for sharing it with the rest of community!

For me it only worked after toggling on Refresh Token Rotation in the application settings.

Doesn’t work for me either, even after enabling Refresh Token Rotation. I simply never see a refresh_token alongside the access_token. I have the offline_access scope set and I have the Refresh Token Grant Type enabled.

You need to set the scope to offline_access when authorizing to get a refresh token. See Get Refresh Tokens for more information

For future reference: It also depends on the SDK being using to initiate the authorize request. For example, in auth0-react there’s an authorizationParams property of useRefreshTokens which defaults to false:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.