Refresh Token does not include org and permission

ralemy · January 6, 2022, 4:01pm

In a React-Express node application, I have refresh-token rotation enabled

useRefreshTokens={true}
  cacheLocation="localstorage"
  scope="offline_access"

everything works, except that when I don’t use refresh tokens, my claim contains org_id and permissions, but when I do, the claim does not contain any of those:
Without refresh-token rotation I get:

tokenClaims {
  iss: 'https://xxxxxxx.xx.auth0.com/',
  sub: 'auth0|61b7a9402cxxxxxxxxx',
  aud: [ 'xxxxxx-api', 'https://xxxxxxx.auth0.com/userinfo' ],
  iat: 1641422999,
  exp: 1641509399,
  azp: 'lBYPRJVdFfg0voLjPvdj0VgqdxeJfLYh',
  scope: 'openid profile email',
  org_id: 'org_xxxxxx',
  permissions: [ 'read:organizations', 'update:organizations' ]
}

with it, I get:

tokenClaims {
  iss: 'https://xxxxxx.auth0.com/',
  sub: 'auth0|61b7a9402c31aa0071b045f1',
  aud: [ 'xxxxx-api', 'https://xxxxxxxxx.auth0.com/userinfo' ],
  iat: 1641423171,
  exp: 1641509571,
  azp: 'lBYPRJVdFfg0voLjPvdj0VgqdxeJfLYh',
  scope: 'openid profile email offline_access',
  permissions: []
}

Can someone help with how to get org_id and permissions in the refresh token, please?

rueben.tiow · January 6, 2022, 5:44pm

Hi @ralemy,

Thanks for reaching out to the Auth0 Community!

I understand that you have issues with your claims when using a refresh token to get your access tokens.

I have just tested this myself and did not find the same observations. Instead, I was able to get the organization ID and permissions both in my initial request and the request when I used the refresh token to get my new tokens.

Given that, could you please share your /authorize request with me?

Thank you.

ralemy · January 7, 2022, 9:14pm

Thank you @rueben.tiow for your quick response. I am not sure if I understand correctly, but here is my /authorize request. If it is not what you wanted, kindly elaborate and I will get it done:

https://MY_DOMAIN.us.auth0.com/authorize?response_type=code&client_id=MY_CLIENT_ID&redirect_uri=http://localhost:3000/login&scope=offline_access email openid profile&audience=MYAUDIANCE&state=MYSTATE

it forwards me to my callbackpage, with my access token set to a JWT token when logged in. the payload of that JWT token is the same as I mentioned in my original post. It does not have permissions and orgId in it.

ralemy · January 7, 2022, 9:16pm

@rueben.tiow , do you happen to know of a sample app somewhere that works, so that I can compare it what I have and find out what the problem is?

rueben.tiow · January 7, 2022, 11:27pm

Hi @ralemy,

Thank you for your responses.

Yes, the /authorize request you provided is helpful. After looking closely, I found that your request is missing the organization parameter.

In this case, could you try the following /authorize request to get the code to then pass to the /oauth/token endpoint:

https://YOUR_DOMAIN/authorize?
    response_type=code&
    client_id=YOUR_CLIENT_ID&
    redirect_uri=https://YOUR_APP/callback&
    scope=SCOPE&
    audience=API_AUDIENCE&
    state=STATE&
    organization=ORG_ID

Lastly, please don’t forget to enable the Add Permissions in the Access Token switch on your API settings.

I have tested this and confirm that the access token returns the organization ID and permissions.

Please let me know how this goes for you.

Thank you.

system · January 22, 2022, 11:27pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.