Refresh Token not getting returned in auth0-nodeJS SDK

Please include the following information in your post:

  • Which SDK this is regarding: Node-auth0
  • SDK Version: latest
  • Platform Version: node 16?
  • Code Snippets/Error Messages/Supporting Details/Screenshots: we’re using the passwordGrant method, and passing in “offline_access” in scope, but no refresh token is getting returned. Help Please! It works correctly when we do a password grant via HTTPS so I’m certain it isn’t our auth0 settings.

Is this a feature request or bug report? Unsure

Hi @matt.kaufman ,

Thank you for posting this topic on the Auth0 Community!

Could you please provide some details such as your scripts, what kind of application your project is, and screenshots for your testing or errors? Please feel free to remove/Pixelate the details that pertain to your tenant. Thanks!



Its a Regular Web Application

Here’s our function call, feels very standard:

const data: Auth0.PasswordGrantOptions = {
      username: email,
      scope: "openid offline_access",
      realm: AUTH0_CONNECTION,
    const options: Auth0.PasswordGrantAdditionalOptions = {
      forwardedFor: ipAddress,
    const tokens = await authorizationClient.passwordGrant(data, options);

We receive the following payload:

access_token: [token]
expires_in: 86400
id_token: [token]
scope: "openid profile email address phone"
token_type: "Bearer"

Note that this is missing the refresh_token

No errors are thrown

1 Like

Hi again @matt.kaufman! Good to know it’s working as expected using HTTPS, it’s almost like offline_access is just being ignored here :thinking:

What happens if you omit the openid scope and only include offline_access? I believe openid should be added regardless with the password grant. What about if you create a “dummy” API in Auth0 for testing purposes, enable it for offline access, and pass in an audience of the identifier?

Thinking out loud here @lihua.zhang :slight_smile:

Hi @matt.kaufman ,

Thank you for providing the additional context!

Could you please check if “Allow Offline Access” is switched on for the API? This doc has the details.

Also, according to this github scripts, the PasswordGrantOptions includes the audience parameter. Could you please add it and confirm how it goes? Thanks!

export interface PasswordGrantOptions {
    username: string;
    password: string;
    realm?: string | undefined;
    scope?: string | undefined;
    audience?: string | undefined;

Hi! Turns out we were doing something wrong with our build environment, all is working! Thanks for your help :slight_smile:

1 Like

Hi @matt.kaufman, Thank you for the updates! Glad to know you have resolved this! :clap: :+1:

1 Like