Refresh Token returns null for Passwordless OTP email flow on SPA

RaptorX · September 3, 2024, 2:16pm

Is it possible to get a refresh token via the email passwordless OTP flow on an SPA?

I am parsing offline_access to the relevant scopes. Our settings are enabled for refresh tokens and offline_access within the application.

My response I get back through parseHash is always returning null.

It states here that it is possible, but does it mean via SMS? Or email as well?

  public passwordlessSendOTP(email: string) {
    return new Promise<Auth0DecodedHash>((resolve, reject) => {
      this.auth.passwordlessStart(
        {
          connection: "email",
          email,
          send: "code",
        },
        (err, result) => {
          if (err) {
            reject(err);
          } else {
            resolve(result);
          }
        },
      );
    });
  }

  public passwordlessLogin(code: string, email: string) {
    return new Promise<Auth0DecodedHash>((resolve, reject) => {
      this.auth.passwordlessLogin(
        {
          connection: "email",
          email: email,
          verificationCode: code,
          responseType: "code id_token token",
          scope: "openid profile email offline_access",
        },
        (err, result) => {
          if (err) {
            reject(err);
          } else {
            resolve(result);
          }
        },
      );
    });
  }

  public passwordlessCallback(hash: string) {
    return new Promise<Auth0DecodedHash>((resolve, reject) => {
      this.auth.parseHash({ hash }, function (err, authResult) {
        if (err) {
          return reject(err);
        }
        if (!authResult) {
          return reject();
        }

      });
    });
  }

tyf · September 3, 2024, 6:10pm

Hey there @RaptorX

I suspect this is due to the lack of an audience param in your passwordlessLogin function - You’ll also want to make sure that the API identifier you pass as the audience has Allow Offline Access toggled on as well:

RaptorX · September 4, 2024, 9:26am

Thanks for the reply @tyf

I’ve included the audience and I still get null back. For the audience we are sending to the options are toggled on

This is also how we initiate the SDK for more context incase we are missing something

    this.auth = new WebAuth({
      audience,
      clientID,
      domain,
      redirectUri,
      responseType: "token id_token",
      scope: "openid profile email offline_access",
    });

I have also adjusted passwordlessStart to include the audience and scope, still null

  // send email with code to user
  public passwordlessSendOTP(email: string) {
    return new Promise<Auth0DecodedHash>((resolve, reject) => {
      this.auth.passwordlessStart(
        {
          authParams: {
            audience: "XXX",
            scope: "openid profile email offline_access",
          },
          connection: "email",
          email,
          send: "code",
        },
        (err, result) => {
          if (err) {
            reject(err);
          } else {
            resolve(result);
          }
        },
      );
    });
  }

Topic		Replies	Views
No refresh token when using Passwordless/OTP grant through SMS Help passwordless , sms , refresh-tokens	5	3758	July 31, 2023
Issue retrieving refresh token in passwordless otp grant type Help	5	3587	January 28, 2020
Passwordless Login Refresh Token Help auth0js , passwordless , refresh-tokens	2	4551	June 21, 2020
How to get `refresh_token` for embedded passwordless auth in a native app Help api , passwordless , login , embedded-login , passwordless-sms	4	4582	May 27, 2021
Not able to get refresh token in passwordless Help connections , passwordless-sms-connection	1	746	August 25, 2023

Refresh Token returns null for Passwordless OTP email flow on SPA

Related Topics