Refresh Token does not include org and permission

In a React-Express node application, I have refresh-token rotation enabled

useRefreshTokens={true}
  cacheLocation="localstorage"
  scope="offline_access"

everything works, except that when I don’t use refresh tokens, my claim contains org_id and permissions, but when I do, the claim does not contain any of those:
Without refresh-token rotation I get:

tokenClaims {
  iss: 'https://xxxxxxx.xx.auth0.com/',
  sub: 'auth0|61b7a9402cxxxxxxxxx',
  aud: [ 'xxxxxx-api', 'https://xxxxxxx.auth0.com/userinfo' ],
  iat: 1641422999,
  exp: 1641509399,
  azp: 'lBYPRJVdFfg0voLjPvdj0VgqdxeJfLYh',
  scope: 'openid profile email',
  org_id: 'org_xxxxxx',
  permissions: [ 'read:organizations', 'update:organizations' ]
}

with it, I get:

tokenClaims {
  iss: 'https://xxxxxx.auth0.com/',
  sub: 'auth0|61b7a9402c31aa0071b045f1',
  aud: [ 'xxxxx-api', 'https://xxxxxxxxx.auth0.com/userinfo' ],
  iat: 1641423171,
  exp: 1641509571,
  azp: 'lBYPRJVdFfg0voLjPvdj0VgqdxeJfLYh',
  scope: 'openid profile email offline_access',
  permissions: []
}

Can someone help with how to get org_id and permissions in the refresh token, please?

Hi @ralemy,

Thanks for reaching out to the Auth0 Community!

I understand that you have issues with your claims when using a refresh token to get your access tokens.

I have just tested this myself and did not find the same observations. Instead, I was able to get the organization ID and permissions both in my initial request and the request when I used the refresh token to get my new tokens.

Given that, could you please share your /authorize request with me?

Thank you.

Thank you @rueben.tiow for your quick response. I am not sure if I understand correctly, but here is my /authorize request. If it is not what you wanted, kindly elaborate and I will get it done:

https://MY_DOMAIN.us.auth0.com/authorize?response_type=code&client_id=MY_CLIENT_ID&redirect_uri=http://localhost:3000/login&scope=offline_access email openid profile&audience=MYAUDIANCE&state=MYSTATE

it forwards me to my callbackpage, with my access token set to a JWT token when logged in. the payload of that JWT token is the same as I mentioned in my original post. It does not have permissions and orgId in it.

@rueben.tiow , do you happen to know of a sample app somewhere that works, so that I can compare it what I have and find out what the problem is?

Hi @ralemy,

Thank you for your responses.

Yes, the /authorize request you provided is helpful. After looking closely, I found that your request is missing the organization parameter.

In this case, could you try the following /authorize request to get the code to then pass to the /oauth/token endpoint:

https://YOUR_DOMAIN/authorize?
    response_type=code&
    client_id=YOUR_CLIENT_ID&
    redirect_uri=https://YOUR_APP/callback&
    scope=SCOPE&
    audience=API_AUDIENCE&
    state=STATE&
    organization=ORG_ID

Lastly, please don’t forget to enable the Add Permissions in the Access Token switch on your API settings.

image2522×920 125 KB

I have tested this and confirm that the access token returns the organization ID and permissions.

Please let me know how this goes for you.

Thank you.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.