Refresh Token not getting returned in auth0-nodeJS SDK

matt.kaufman · June 29, 2022, 11:54pm

Please include the following information in your post:

Which SDK this is regarding: Node-auth0
SDK Version: latest
Platform Version: node 16?
Code Snippets/Error Messages/Supporting Details/Screenshots: we’re using the passwordGrant method, and passing in “offline_access” in scope, but no refresh token is getting returned. Help Please! It works correctly when we do a password grant via HTTPS so I’m certain it isn’t our auth0 settings.

Is this a feature request or bug report? Unsure

lihua.zhang · June 30, 2022, 8:46pm

Thank you for posting this topic on the Auth0 Community!

Could you please provide some details such as your scripts, what kind of application your project is, and screenshots for your testing or errors? Please feel free to remove/Pixelate the details that pertain to your tenant. Thanks!

matt.kaufman · June 30, 2022, 9:05pm

Sure!

Its a Regular Web Application

Here’s our function call, feels very standard:

const data: Auth0.PasswordGrantOptions = {
      username: email,
      password,
      scope: "openid offline_access",
      realm: AUTH0_CONNECTION,
    };
    const options: Auth0.PasswordGrantAdditionalOptions = {
      forwardedFor: ipAddress,
    };
    const tokens = await authorizationClient.passwordGrant(data, options);

We receive the following payload:

access_token: [token]
expires_in: 86400
id_token: [token]
scope: "openid profile email address phone"
token_type: "Bearer"

Note that this is missing the refresh_token

No errors are thrown

tyf · June 30, 2022, 10:49pm

Hi again @matt.kaufman! Good to know it’s working as expected using HTTPS, it’s almost like offline_access is just being ignored here

What happens if you omit the openid scope and only include offline_access? I believe openid should be added regardless with the password grant. What about if you create a “dummy” API in Auth0 for testing purposes, enable it for offline access, and pass in an audience of the identifier?

Thinking out loud here @lihua.zhang

lihua.zhang · July 1, 2022, 12:42am

Hi @matt.kaufman ,

Thank you for providing the additional context!

Could you please check if “Allow Offline Access” is switched on for the API? This doc has the details.

Also, according to this github scripts, the PasswordGrantOptions includes the audience parameter. Could you please add it and confirm how it goes? Thanks!

export interface PasswordGrantOptions {
    username: string;
    password: string;
    realm?: string | undefined;
    scope?: string | undefined;
    audience?: string | undefined;
}

matt.kaufman · July 1, 2022, 8:52pm

Hi! Turns out we were doing something wrong with our build environment, all is working! Thanks for your help

lihua.zhang · July 1, 2022, 8:54pm

Hi @matt.kaufman, Thank you for the updates! Glad to know you have resolved this!