React Native refresh id_token not working

ozzie.neher · November 27, 2019, 2:56pm

Hey all. We’re using the auth0/react-native-auth0 package to log in our users.

const credentials = await auth0.webAuth.authorize({
    scope: 'openid profile email offline_access',
    audience: 'our-company-audience',
});

And the credentials object that is returned contains an accessToken, refreshToken, and an idToken. We use the jwt idToken to communicate with our API. However, this token expires and we need to refresh it.

One might think that you would then need to use the auth0.auth.refreshToken({ refreshToken }) method which we have tried. It returns a successful response with a new token back but that new token is invalid (idToken isn’t signed the same way?).

So then we also tried hitting the endpoint directly with axios

await axios.post(
  'https://our-domain.auth0.com/oauth/token',
  {
    scope: 'openid profile email offline_access',
    domain: 'our-domain.auth0.com',
    client_id: 'our-client-id',
    grant_type: 'refresh_token',
    audience: 'our-audience',
    refresh_token: refreshToken,
  },
);

Which gives us a token back but it is still also invalid.

How are we able to refresh the original idToken?

nicolas_sabena · December 27, 2019, 4:26am

Hey @ozzie.neher ! I realize this is an old post but hopefully you can find some value (or, better yet, you already solved your issue!).

If you have a native app talking to an API where requests need to be authorized (the typical deployment for APIs), you should be using the Access Token (and not the ID Token) to authorize those requests. The ID Token is to be consumed by the native app to get information about the user who logged in.
In the API, you’d configure the token validation parameters so that the audience is the API identifier (not the client ID). The refresh token flow should give you a full token response (access token + id token) , and you’ll keep the new access token for API requests.
If that doesn’t work for some reason, inspect the tokens in https://jwt.io to see the difference between the “good” one and the “bad” one. Also, when the API rejects it, there should be a descriptive error somewhere, to guide you on what the problem is (e.g. invalid audience, invalid signature, expired token, and so on).