Refresh token unavailable

guillim · February 26, 2023, 2:26pm

Hello,

I am trying to setup refresh tokens, but I cannot find the way to make it work. I followed the documentation, though.

What happens :
In the end, after the user successflully logs in on auth0 page, the redirect URI only contains the access_token and no sign of any refresh_token in the URL parameters.

Is it because it’s not in the free plan ?

Here is my context :

one SPA application with these settings

Screenshot 2023-02-26 at 15.19.371920×1972 147 KB

Note : also, OIDC Conformant is enabled in the OAuth tab
I don’t think it would intervene here, but just in case, I also have an API for more granting dedicated permission in the access_token. Its settings are here :

Screenshot 2023-02-26 at 15.22.552330×2806 472 KB

Tks for your help

james.merrigan · February 27, 2023, 8:07am

Hi @guillim

Would you be able to confirm if the offline_access scope is being requested on your requests to /authorize?

The offline_access scope is required in order for a refresh token to be returned. If the token is missing, it is likely due to this scope not being set on the request. You can find more information on this here:

If this scope is included and you are still not seeing the refresh token returned, would you be able to expand a little on your application and what Auth0 SDK/library you are using?

Let me know when you get a chance!

guillim · February 27, 2023, 8:12am

thanks for your answer. Yes I did. Here is the decoded access_token (using jwt.io) I get from the redirect, after successfully logging in :

(I replaced sensitice info with xxxxx)

{
  "xxxxxxx": "xxxxxxx",
  "xxxxxxx": "xxxxxxx",
  "baseurl/roles": [
    "admin"
  ],
  "iss": "https://xxxxxxx.eu.auth0.com/",
  "sub": "auth0|xxxxxxx",
  "aud": [
    "https://myaudience",
    "https://xxxx.eu.auth0.com/userinfo"
  ],
  "iat": 1677485109,
  "exp": 1677492309,
  "azp": "xxxxxx",
  "scope": "openid profile email offline_access",
  "permissions": [
    "create:comments",
    "create:companies",
    "update:tags",
    "update:teams"
  ]
}

james.merrigan · February 27, 2023, 8:31am

Thanks for the reply and confirmation @guillim!

Could expand a little on your SPA application and what Auth0 SDK/library you have integrated for your authentication? If you could also include the version you are using that would be great.

guillim · February 27, 2023, 9:10am

Sure !

About the SPA application
It’s a nocode web app. We therefore use no SDK, only API calls. I can provide the ClientID it helps you out. I can also provide the Auth0 tenant if required.

About the Login flow
It may be important so I mention it here : in the Login Flow (Actions > Flows) I add with custom actions some metadata to the access_token. I belive it should not interfere but anyway…

Topic		Replies	Views
/outh/token api missing refresh_token Help	4	3532	October 4, 2019
Anyone? Refreshing tokens: id_token missing in refresh_token response? Help oauth , access-token , refresh_token	3	8041	March 2, 2018
Not getting refresh tokens Help login-experience	2	270	April 4, 2024
Auth0 spa 2.x returning missing_refresh_token Help auth0 , refresh_token	27	11236	May 25, 2023
Refresh token - Allow silent authentication Help login-experience , new-universal-login-experience	2	1286	September 27, 2023

Refresh token unavailable

Related topics