Refresh Token missing on authorize

I’m building a project using Cordova and have successfully gotten a refresh token this morning but I’m now currently unable to get a refresh token in my app. I’m now getting the following error from the logs: “The scope ‘offline_access’ was requested, but no ‘refresh_token’ was issued because the authorization code exchange originated from a browser”

I’ve reverted to some code I had this morning that when I was able to successfully get a refresh token but still no luck.

I’m not sure what has changed, either code or Auth0 settings in my system.

Hi @jdesrochers,

Welcome to the Community!

This error sounds like you are trying to get a refresh token is a SPA, which is not allowed. Is that the case?

Let me know,

Hi Dan,

I’m building a ReactJS app packaged with Cordova and using @auth0/cordova to do authentication with your service. The weirdest thing was that it was giving me refresh tokens for a couple of hours then suddenly stopped. I looked through the logs and can see them working, and then when they stopped I was receiving this error.

As a work around for now I’ve started calling authorize end point again with prompt set to “none” and that seems to be working for me right now, though I’m not sure this correct way to do what I’m looking for.

Justin Desrochers

Hi @jdesrochers,

It is possible to get a refresh token is a SPA, but you would have to have misconfigured your app in the dashboard. If you were changing settings then that could explain why you were able to get one. It is hard to say why without any detailed information.

The prompt=none call is requesting a silent authentication, and that is the recommended flow for a SPA. I would suggest taking a look at our React quickstart if you are interested in best practices.

Hope this helps,

This doesn’t sound like a solution. Why would the tenant suddenly start throwing that warning and not providing a refresh token when all your documentation and all tenants before last week in fact work that way?

Hi @Bruce_Hubbard,

Welcome back!

It’s hard to say without confirmation, but it sounds like they had the mobile app misconfigured as a SPA, which would explain why they were unable to get a refresh token.

Are you running into the same issue?

Hi @dan.woda

Can you explain to me how I may have misconfigured my app as a SPA vs a mobile app? We are using the Cordova SDK provided by Auth0 and have followed the steps outlined in the quick start guide and have turned on Allow Offline Access on our API.


If that’s the case, then you should be able to get the token. Can you DM me the name of your tenant?

Also, how are you testing? In a real device, emulated device, or browser?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.