Hi @mhopey.
The react-native-auth0 library implements the code authorization grant with PKCE , which is the appropriate flow for native applications. Your direct usage of the /authorize endpoint with response_type=token is triggering an “implicit flow” like @James.Morrison said, which is the flow used in SPA. The implicit flow, by definition, does not return refresh tokens because SPAs are not suited to keep a refresh token securely.
You can leverage react-native-auth0’s authorize method, which uses the code grant with PKCE. The recommended usage would display Auth0’s hosted login page (to let the user choose the desired login method) but if you are putting that option in your application, you can put the connection name directly in the authorize request like this:
auth0
.webAuth
.authorize({
scope: 'openid email offline_access',
connection: the_connection_name,
[...]
})
.then(credentials => console.log(credentials))
.catch(error => console.log(error));