We’re running into a problem with refresh tokens and the userinfo endpoint.
We’re building a mobile application, using Expo IO and TypeScript to build this application. For communicating with auth0, we’re using expo-app-auth (https://www.npmjs.com/package/expo-app-auth).
Basically, when we log into the application, we get back an access_token with both our audience and the auth0 userinfo audience. However, when this token expires and we refresh the token, then we get a token without the userinfo audience.
This means that if we try to access the auth0 user info endpoint, we get back ‘access denied’.
The new access_token is valid for accessing our own service, but not for getting the user_info endpoint. It looks like currently we’re passing the same set of options to get the access_token on login and to refresh it.
(basically, we’re passing the correct audience and the scopes “openid email profiles offline_access”. Do we need to pass something else to get it to work?