Refresh token unavailable

Hello,

I am trying to setup refresh tokens, but I cannot find the way to make it work. I followed the documentation, though.

What happens :
In the end, after the user successflully logs in on auth0 page, the redirect URI only contains the access_token and no sign of any refresh_token in the URL parameters.

Is it because it’s not in the free plan ?

Here is my context :

Tks for your help

1 Like

Hi @guillim :wave:

Would you be able to confirm if the offline_access scope is being requested on your requests to /authorize?

The offline_access scope is required in order for a refresh token to be returned. If the token is missing, it is likely due to this scope not being set on the request. You can find more information on this here:

If this scope is included and you are still not seeing the refresh token returned, would you be able to expand a little on your application and what Auth0 SDK/library you are using?

Let me know when you get a chance!

1 Like

thanks for your answer. Yes I did. Here is the decoded access_token (using jwt.io) I get from the redirect, after successfully logging in :

(I replaced sensitice info with xxxxx)

{
  "xxxxxxx": "xxxxxxx",
  "xxxxxxx": "xxxxxxx",
  "baseurl/roles": [
    "admin"
  ],
  "iss": "https://xxxxxxx.eu.auth0.com/",
  "sub": "auth0|xxxxxxx",
  "aud": [
    "https://myaudience",
    "https://xxxx.eu.auth0.com/userinfo"
  ],
  "iat": 1677485109,
  "exp": 1677492309,
  "azp": "xxxxxx",
  "scope": "openid profile email offline_access",
  "permissions": [
    "create:comments",
    "create:companies",
    "update:tags",
    "update:teams"
  ]
}

Thanks for the reply and confirmation @guillim!

Could expand a little on your SPA application and what Auth0 SDK/library you have integrated for your authentication? If you could also include the version you are using that would be great.

2 Likes

Sure !

About the SPA application
It’s a nocode web app. We therefore use no SDK, only API calls. I can provide the ClientID it helps you out. I can also provide the Auth0 tenant if required.

About the Login flow
It may be important so I mention it here : in the Login Flow (Actions > Flows) I add with custom actions some metadata to the access_token. I belive it should not interfere but anyway…