Refreshing id_token with express-openid-connect

I followed the basic example here to set up authentication for my app: GitHub - auth0/express-openid-connect: An Express.js middleware to protect OpenID Connect web applications.. By default it uses the implicit flow, which returns an id_token stored in an encrypted cookie. This id_token is used for authenticating subsequent requests to endpoints using the requiresAuth middleware.

My question are 1) isn’t it standard to use the access token for auth instead of the id token? and 2) how can you refresh the id_token with this flow? It seems like you need refresh token, which isn’t provided in this flow.

Hi @daniel12,

Welcome to the Auth0 Community!

The access token is typically used with requests made to resource servers. The ID token is used by the client application.

More on the difference here: ID Token and Access Token: What Is the Difference?

This resource is helpful with examples for accessing protected routes and refresh token flows:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.