Refresh token unavailable

guillim · February 26, 2023, 2:26pm

Hello,

I am trying to setup refresh tokens, but I cannot find the way to make it work. I followed the documentation, though.

What happens :
In the end, after the user successflully logs in on auth0 page, the redirect URI only contains the access_token and no sign of any refresh_token in the URL parameters.

Is it because it’s not in the free plan ?

Here is my context :

one SPA application with these settings

Screenshot 2023-02-26 at 15.19.371920×1972 147 KB

Note : also, OIDC Conformant is enabled in the OAuth tab
I don’t think it would intervene here, but just in case, I also have an API for more granting dedicated permission in the access_token. Its settings are here :

Screenshot 2023-02-26 at 15.22.552330×2806 472 KB

Tks for your help

james.merrigan · February 27, 2023, 8:07am

Hi @guillim

Would you be able to confirm if the offline_access scope is being requested on your requests to /authorize?

The offline_access scope is required in order for a refresh token to be returned. If the token is missing, it is likely due to this scope not being set on the request. You can find more information on this here:

If this scope is included and you are still not seeing the refresh token returned, would you be able to expand a little on your application and what Auth0 SDK/library you are using?

Let me know when you get a chance!

guillim · February 27, 2023, 8:12am

thanks for your answer. Yes I did. Here is the decoded access_token (using jwt.io) I get from the redirect, after successfully logging in :

(I replaced sensitice info with xxxxx)

{
  "xxxxxxx": "xxxxxxx",
  "xxxxxxx": "xxxxxxx",
  "baseurl/roles": [
    "admin"
  ],
  "iss": "https://xxxxxxx.eu.auth0.com/",
  "sub": "auth0|xxxxxxx",
  "aud": [
    "https://myaudience",
    "https://xxxx.eu.auth0.com/userinfo"
  ],
  "iat": 1677485109,
  "exp": 1677492309,
  "azp": "xxxxxx",
  "scope": "openid profile email offline_access",
  "permissions": [
    "create:comments",
    "create:companies",
    "update:tags",
    "update:teams"
  ]
}

james.merrigan · February 27, 2023, 8:31am

Thanks for the reply and confirmation @guillim!

Could expand a little on your SPA application and what Auth0 SDK/library you have integrated for your authentication? If you could also include the version you are using that would be great.

guillim · February 27, 2023, 9:10am

Sure !

About the SPA application
It’s a nocode web app. We therefore use no SDK, only API calls. I can provide the ClientID it helps you out. I can also provide the Auth0 tenant if required.

About the Login flow
It may be important so I mention it here : in the Login Flow (Actions > Flows) I add with custom actions some metadata to the access_token. I belive it should not interfere but anyway…