Auth0 Home Blog Docs

Renew passwordless idToken in cordova app


#1

Is there anyway to refresh a idToken/session (obtained via passwordless) when running the auth0-js inside a cordova application?

  • I can’t use checkSession as that includes a codepath that breaks if the current origin is not HTTP(S)
  • auth0-cordova SDK doesn’t include anything that would help with checkSession (and we already use it’s InAppBrowser technique to complete passwordless verification)

I’ve tried putting together the URL via buildAuthorizeUrl using prompt: “none” and responseMode: “web_message” but the resulting URL returns an “Oops!, something went wrong” error (it returned an “invalid redirect URL” until I added the app bundle origin to the CORS list).

Is there anything I can do to extend the session, or is auth0 simply not the right product for what I need?


#2

Any feedback on this?


#4

:wave: @MXTcWznt as you mentioned it looks like the refresh token grant is not implemented by default as part of the Cordova library, so you would need to implement a function that calls /oauth/token with refresh_token as grant_type as per API documentation here. The client Secret is not required in this request since we are using a Native Application and the Token Endpoint Authentication Method (Found in Application settings) is set to None for native type applications. But this is explained in the API document I have linked above. Let me know if this is what you are looking to accomplish!


#5

@kim.noel It’s my understanding that a refresh_token cannot be granted in the passwordless flow (or at least when idToken is requested). Is this correct?


#6

@MXTcWznt that is my bad! I overlooked your mention of passwordless in your post. If you are using Universal login, so the hosted login page in Lock ‘Passwordless’ mode, then we can have access to refresh tokens.


#7

@kim.noel We’re not using Lock as we have a completely customised UI. Can you let me know if there’s anyway we can use passwordless and still obtain refresh tokens? I’m happy for us to call the API endpoints manually if required.


#9

This was discussed internally via a support ticket and I wanted to provide the following info to assist anyone else with the same challenge:

We don’t have a good story for this exact flow as it doesn’t follow the general recommendations we make for Cordova flow, and we don’t want to recommend anything insecure here either.

You may either use Lock or create a page from scratch without using Lock at all, because the SDK displays Auth0’s hosted login page and this can be customized.

When using the SDK, you can pass the offline_access scope, which will cause Auth0 to return a refresh token. This refresh token can then be exchanged for new access/ID tokens by making a POST /oauth/token request to Auth0 as mentioned here: https://auth0.com/docs/tokens/refresh-token/current#use-a-refresh-token