Refreshing id_token with express-openid-connect

daniel12 · November 17, 2021, 9:17pm

I followed the basic example here to set up authentication for my app: GitHub - auth0/express-openid-connect: An Express.js middleware to protect OpenID Connect web applications.. By default it uses the implicit flow, which returns an id_token stored in an encrypted cookie. This id_token is used for authenticating subsequent requests to endpoints using the requiresAuth middleware.

My question are 1) isn’t it standard to use the access token for auth instead of the id token? and 2) how can you refresh the id_token with this flow? It seems like you need refresh token, which isn’t provided in this flow.

dan.woda · November 26, 2021, 5:45pm

Hi @daniel12,

Welcome to the Auth0 Community!

The access token is typically used with requests made to resource servers. The ID token is used by the client application.

More on the difference here: ID Token and Access Token: What Is the Difference?

This resource is helpful with examples for accessing protected routes and refresh token flows:

github.com

auth0/express-openid-connect/blob/master/EXAMPLES.md#5-obtaining-and-using-refresh-tokens

# Examples

1. [Basic setup](#1-basic-setup)
2. [Require authentication for specific routes](#2-require-authentication-for-specific-routes)
3. [Route customization](#3-route-customization)
4. [Obtaining access tokens to call external APIs](#4-obtaining-access-tokens-to-call-external-apis)
5. [Obtaining and using refresh tokens](#5-obtaining-and-using-refresh-tokens)
6. [Calling userinfo](#6-calling-userinfo)
7. [Protect a route based on specific claims](#7-protect-a-route-based-on-specific-claims)
8. [Logout from Identity Provider](#8-logout-from-identity-provider)
9. [Validate Claims from an ID token before logging a user in](#9-validate-claims-from-an-id-token-before-logging-a-user-in)
10. [Use a custom session store](#10-use-a-custom-session-store)
11. [Back-Channel Logout](#11-back-channel-logout)

## 1. Basic setup

The simplest use case for this middleware. By default all routes are protected. The middleware uses the [Implicit Flow with Form Post](https://auth0.com/docs/flows/concepts/implicit) to acquire an ID Token from the authorization server and an encrypted cookie session to persist it.

```text
# .env

This file has been truncated. show original

system · January 20, 2022, 11:06pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.