Refreshed access token is not working

General
, , , ,
#1

We are building Zapier to our service integration and have enabled OAuth2 on the Zapier side. When asking for tokens we do pass scope: 'offline_access'. The Zapier receives access_token and refresh_token after the user logs in. The access_token is working - the “zaps” pass it to our API and we can call methods like GET https://<our domain>.auth0.com/userinfo with Authorization: Bearer <access_token> which returns user info.

curl --request GET \
  --url https://<our domain>.auth0.com/userinfo \
  --header 'authorization: Bearer <access token>' \
  --header 'content-type: application/json'

    {
    	"email": "...",
    	"name": "Gleb Bahmutov",
      ...

But the access tokens expire, so we need to refresh them. We are making a call like this one

curl --request POST \
  --url https://<our domain>.auth0.com/oauth/token \
  --header 'content-type: application/json' \
  --data '{
	"grant_type": "refresh_token",
	"client_id": "<our client id>",
	"client_secret": "<our secret>",
	"refresh_token": "<refresh token we received earlier>"
}'

This responds with an object with new token, looks something like this

{
	"access_token": "jDUIy...",
	"expires_in": 86400,
	"token_type": "Bearer"
}

We are grabbing this new access token and try fetching the user information again using GET https://<our domain>.auth0.com/userinfo just like before, but with new token. What we get back from Auth0 API is puzzling: it is status code200 and response {} (empty object). I do not see anything related in the Auth0 logs so the source of the empty object is very puzzling. We would love to have this issue resolved to finish our integration, that’s the only blocking step.

#2

Which exact scope and audience are you specifying in the original authentication request? Could you also show a snippet of code from that request?

#3

Not an answer, just more details:

the Zapier is making the request to /authorize, and the scope is offline_access but we do not set the audience. We have tried setting the audience but that did not solve anything, so we removed that parameter.
The Zapier code in question is below

// Step 1 of the OAuth flow; specify where to send the user to authenticate with your API.
    // Zapier generates the state and redirect_uri, you are responsible for providing the rest.
    // Note: can also be a function that returns a string
    authorizeUrl: {
      url: fullAuthUrl('/authorize'),
      params: {
        client_id: '{{process.env.CLIENT_ID}}',
        state: '{{bundle.inputData.state}}',
        redirect_uri: '{{bundle.inputData.redirect_uri}}',
        response_type: 'code',
      },
    },
// If there is a specific scope you want to limit your Zapier app to, you can define it here.
    // Will get passed along to the authorizeUrl
    scope: 'offline_access',

I have tried adding audience to /oauth/token like https://auth0.com/docs/tokens/access-token suggests. I set it to <our domain>.auth0.com/userinfo because all I want is to use the opaque access token to retrieve /userinfo. I even pass the same audience when making a call to refresh the token - the returned access token when used to call <our domain>.auth0.com/userinfo returns 200 with empty object!

#4

Was this ever solved? I’m having the exact same issue. Using a refreshed token causes /userinfo to return an empty object.

3 Likes
#5

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?

#6