I am trying to setup refresh tokens, but I cannot find the way to make it work. I followed the documentation, though.
What happens :
In the end, after the user successflully logs in on auth0 page, the redirect URI only contains the access_token and no sign of any refresh_token in the URL parameters.
Note : also, OIDC Conformant is enabled in the OAuth tab
I don’t think it would intervene here, but just in case, I also have an API for more granting dedicated permission in the access_token. Its settings are here :
Would you be able to confirm if the offline_access scope is being requested on your requests to /authorize?
The offline_access scope is required in order for a refresh token to be returned. If the token is missing, it is likely due to this scope not being set on the request. You can find more information on this here:
If this scope is included and you are still not seeing the refresh token returned, would you be able to expand a little on your application and what Auth0 SDK/library you are using?
Could expand a little on your SPA application and what Auth0 SDK/library you have integrated for your authentication? If you could also include the version you are using that would be great.
About the SPA application
It’s a nocode web app. We therefore use no SDK, only API calls. I can provide the ClientID it helps you out. I can also provide the Auth0 tenant if required.
About the Login flow
It may be important so I mention it here : in the Login Flow (Actions > Flows) I add with custom actions some metadata to the access_token. I belive it should not interfere but anyway…