Why is it that if I enable default audience at the tenant level(https://manage.auth0.com/#/tenant), then I stop receiving a refresh token when I receive an access token? How is this related?
Refresh token rotation is on.
Without changing anything else, not in the application, not in the dashboard
If the “Default audience” parameter is empty, a refresh token is returned
If the “Default audience” parameter is filled, the refresh token is not returned
This behavior occurs due to how Auth0 handles OAuth2 flows and token issuance based on audience settings. Let me explain the relationship:
- Default Audience Impact
- When you don’t set a default audience, Auth0 treats the flow as an OpenID Connect (OIDC) flow
- With a default audience set, Auth0 treats it as a pure OAuth2 flow
- Token Issuance Rules
- OIDC flows (no default audience) typically return:
- id_token
- access_token
- refresh_token (if offline_access scope is requested)
- OAuth2 flows (with default audience) are more restrictive and require explicit configuration
To get refresh tokens when using a default audience, you need to:
- Ensure the application is requesting the
offline_accessscope - Configure the application’s “Refresh Token Behavior” settings
- Make sure the grant type
refresh_tokenis enabled for your application
// When making the authorization request, include offline_access scope
const options = {
// ... other options ...
scope: 'openid profile email offline_access'
};
And in your Auth0 application settings:
- Go to Applications → [Your App] → Settings
- In “Advanced Settings” → “Grant Types”
- Ensure “Refresh Token” is checked
- Save changes
2 Likes