Retrieve non rotating refresh token using SPA sdk

jmj · August 20, 2022, 7:09am

I am able to retrieve rotating refresh token using auth0 SPA SDK - however using non-rotating refresh token I am unable to retrieve on SPA (using PKCE authorization flow).

I understand the security risk of making non rotating refresh token available to public client (web browser here for example).

Questions:

If I still want to access non-rotating refresh token in my SPA - how can I get it?
If SPA is really out of question for this situation, can I retrieve non rotating refresh token using access token and client secret from backend?

I have the user authenticated and authorized to perform API calls in SPA. I want to make non rotating refresh token available to them.

dan.woda · August 26, 2022, 10:11pm

Hi @jmj,

Welcome to the Auth0 Community!

It sounds like you should be issuing the user a set of client credentials as a third party application. More info here: First-Party and Third-Party Applications

jmj · August 26, 2022, 10:23pm

Thanks @dan.woda - yes I read through other similar post and ended up implementing m2m apps and client credentials.

dan.woda · August 26, 2022, 10:23pm

Perfect! Let us know if you have any other questions.

jmj · August 26, 2022, 10:55pm

Since you are asking I have other question where I could use your expertise. Username Password connection, organization & signup

Topic		Replies	Views
Unlimited refresh token from SPA Help	3	3183	January 13, 2022
SPA & Refresh Token Help auth0 , spa , refresh-tokens	4	3053	May 27, 2020
We've added support for Refresh Token Rotation! Announcements refresh-tokens , announcements , refresh-token-rotate	13	9019	November 2, 2021
Current Recommendation for SPA Help	4	2523	May 26, 2020
How to Use Refresh Tokens in a SPA? Knowledge Articles auth0 , spa , refresh-tokens	0	580	June 3, 2024

Retrieve non rotating refresh token using SPA sdk

Related topics