Refresh Token returns null for Passwordless OTP email flow on SPA

RaptorX · September 3, 2024, 2:16pm

Is it possible to get a refresh token via the email passwordless OTP flow on an SPA?

I am parsing offline_access to the relevant scopes. Our settings are enabled for refresh tokens and offline_access within the application.

My response I get back through parseHash is always returning null.

It states here that it is possible, but does it mean via SMS? Or email as well?

  public passwordlessSendOTP(email: string) {
    return new Promise<Auth0DecodedHash>((resolve, reject) => {
      this.auth.passwordlessStart(
        {
          connection: "email",
          email,
          send: "code",
        },
        (err, result) => {
          if (err) {
            reject(err);
          } else {
            resolve(result);
          }
        },
      );
    });
  }

  public passwordlessLogin(code: string, email: string) {
    return new Promise<Auth0DecodedHash>((resolve, reject) => {
      this.auth.passwordlessLogin(
        {
          connection: "email",
          email: email,
          verificationCode: code,
          responseType: "code id_token token",
          scope: "openid profile email offline_access",
        },
        (err, result) => {
          if (err) {
            reject(err);
          } else {
            resolve(result);
          }
        },
      );
    });
  }

  public passwordlessCallback(hash: string) {
    return new Promise<Auth0DecodedHash>((resolve, reject) => {
      this.auth.parseHash({ hash }, function (err, authResult) {
        if (err) {
          return reject(err);
        }
        if (!authResult) {
          return reject();
        }

      });
    });
  }

tyf · September 3, 2024, 6:10pm

Hey there @RaptorX

I suspect this is due to the lack of an audience param in your passwordlessLogin function - You’ll also want to make sure that the API identifier you pass as the audience has Allow Offline Access toggled on as well:

RaptorX · September 4, 2024, 9:26am

Thanks for the reply @tyf

I’ve included the audience and I still get null back. For the audience we are sending to the options are toggled on

This is also how we initiate the SDK for more context incase we are missing something

    this.auth = new WebAuth({
      audience,
      clientID,
      domain,
      redirectUri,
      responseType: "token id_token",
      scope: "openid profile email offline_access",
    });

I have also adjusted passwordlessStart to include the audience and scope, still null

  // send email with code to user
  public passwordlessSendOTP(email: string) {
    return new Promise<Auth0DecodedHash>((resolve, reject) => {
      this.auth.passwordlessStart(
        {
          authParams: {
            audience: "XXX",
            scope: "openid profile email offline_access",
          },
          connection: "email",
          email,
          send: "code",
        },
        (err, result) => {
          if (err) {
            reject(err);
          } else {
            resolve(result);
          }
        },
      );
    });
  }