We’re currently experiencing and issue only in our production tenant, we receive a 403 from the oauth/token endpoint using the vue sdk.
The error we get in the auth0 logs is “"Failed to exchange a Rotating Refresh Token when Refresh Token Rotation is not enabled.“
When creating the auth0 instance using the sdk, we configure:
useRefreshTokens: true,
cacheLocation: ‘localstorage’,
we also pass through audience in authorizationParams as the management api audience
In our auth0 tenant we have “Allow refresh token rotation” toggled on for our SPA application.
This works in our UAT environment with the same settings, however with our production tenant we get the 403, and ideas on why this would be happening?
Thanks for looking into this, looking at the authorize request in the browser network tab, the scope being sent with the request in our lower environments and production is as follows
scope: openid profile email offline_access
Also from research, is it accurate that newer tenants have a different behavior where specifying the management api as the audience will result in the refresh token error even though allow refresh tokens is turned on? Could this be the reason that lower environments work and production produces this error?
Thank you for the update. I haven’t seen any information about this, but I will request additional details internally. Meanwhile, my advice would be to avoid getting the management api token and having it on the Frontend, because then the user can change their user_metadata if they get the token from local storage.