Auth0 Home Blog Docs

Passwordless Only - How would you generate long term tokens for an API?

lock
auth0

#1

Hi,

In the management portal I’ve created a regular web application and enabled only the password (magic link) connection and no other social connections or password.

Through my MVC / Angular front end, I can reliably use lock (11.9.0) to collect email, send the magic link, return to my platform and store the correct data.

I’ve also configured my ASP.Net NancyFX api to accept and validate the auth0 tokens correctly, even using custom claims, which is cool.

However, I want to now allow my end users to not just login and use the MVC / Angular front end I created, but also interact with the raw api behind the scenes with their (long term) access tokens.

My initial thought was to try and replicate the mobile app behaviour with a refresh token, but conflicting documentation is unclear about how to actually get a refresh token using lock (offline_access in scopes still returns a null refreshToken).

Overall I think i’m just looking for some guidance on how I should be thinking about this process. Can anyone explain a logical way to implement this behaviour?


#3

Hey @yasenyleund !

Firstly just after reading the title of your topic, it’s not advisable to use long term tokens because of security reasons. Tokens should be regenerated regularly.

Here’s how to set access token life-time: https://auth0.com/docs/tokens/set-access-token-lifetime

Secondly make sure that you make your API calls not from your Angular front-end but rather from backend as it’s safer cause the web server makes a proxy for you not exposing your credentials and calls.

Here’s your ultimate set of resources on using refresh tokens that will certainly help you:

  1. https://auth0.com/learn/refresh-tokens/
  2. https://auth0.com/docs/tokens/refresh-token/current
  3. https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/

Let me know if that helps!