In the management portal I’ve created a regular web application and enabled only the password (magic link) connection and no other social connections or password.
Through my MVC / Angular front end, I can reliably use lock (11.9.0) to collect email, send the magic link, return to my platform and store the correct data.
I’ve also configured my ASP.Net NancyFX api to accept and validate the auth0 tokens correctly, even using custom claims, which is cool.
However, I want to now allow my end users to not just login and use the MVC / Angular front end I created, but also interact with the raw api behind the scenes with their (long term) access tokens.
My initial thought was to try and replicate the mobile app behaviour with a refresh token, but conflicting documentation is unclear about how to actually get a refresh token using lock (offline_access in scopes still returns a null refreshToken).
Overall I think i’m just looking for some guidance on how I should be thinking about this process. Can anyone explain a logical way to implement this behaviour?