Refreshing id_token with express-openid-connect

daniel12 · November 17, 2021, 9:17pm

I followed the basic example here to set up authentication for my app: GitHub - auth0/express-openid-connect: An Express.js middleware to protect OpenID Connect web applications.. By default it uses the implicit flow, which returns an id_token stored in an encrypted cookie. This id_token is used for authenticating subsequent requests to endpoints using the requiresAuth middleware.

My question are 1) isn’t it standard to use the access token for auth instead of the id token? and 2) how can you refresh the id_token with this flow? It seems like you need refresh token, which isn’t provided in this flow.

dan.woda · November 26, 2021, 5:45pm

Hi @daniel12,

Welcome to the Auth0 Community!

The access token is typically used with requests made to resource servers. The ID token is used by the client application.

More on the difference here: ID Token and Access Token: What Is the Difference?

This resource is helpful with examples for accessing protected routes and refresh token flows:

github.com

auth0/express-openid-connect/blob/master/EXAMPLES.md#5-obtaining-and-using-refresh-tokens

# Examples

1. [Basic setup](#1-basic-setup)
2. [Require authentication for specific routes](#2-require-authentication-for-specific-routes)
3. [Route customization](#3-route-customization)
4. [Obtaining access tokens to call external APIs](#4-obtaining-access-tokens-to-call-external-apis)
5. [Obtaining and using refresh tokens](#5-obtaining-and-using-refresh-tokens)
6. [Calling userinfo](#6-calling-userinfo)
7. [Protect a route based on specific claims](#7-protect-a-route-based-on-specific-claims)
8. [Logout from Identity Provider](#8-logout-from-identity-provider)
9. [Validate Claims from an ID token before logging a user in](#9-validate-claims-from-an-id-token-before-logging-a-user-in)
10. [Use a custom session store](#10-use-a-custom-session-store)
11. [Back-Channel Logout](#11-back-channel-logout)

## 1. Basic setup

The simplest use case for this middleware. By default all routes are protected. The middleware uses the [Implicit Flow with Form Post](https://auth0.com/docs/flows/concepts/implicit) to acquire an ID Token from the authorization server and an encrypted cookie session to persist it.

```text
# .env

This file has been truncated. show original

system · January 20, 2022, 11:06pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Refresh session route in openid connect Help sessions , authentication-sessions	0	943	February 17, 2023
Accessing id_token in expressjs Help sessions , authentication-sessions	3	371	February 9, 2024
Refresh token rotation not working in express-openid-connect Help auth0 , refresh-tokens , express , openidconnect , refresh-token-rotate	4	3409	January 26, 2023
refreshToken missing from request.oidc Help oidc , refresh_token	3	3429	January 6, 2022
Express-openid-connext: Intended way to get user data on login Help sso , application	2	1896	February 20, 2023

Refreshing id_token with express-openid-connect

Related Topics