Retrieve non rotating refresh token using SPA sdk

jmj · August 20, 2022, 7:09am

I am able to retrieve rotating refresh token using auth0 SPA SDK - however using non-rotating refresh token I am unable to retrieve on SPA (using PKCE authorization flow).

I understand the security risk of making non rotating refresh token available to public client (web browser here for example).

Questions:

If I still want to access non-rotating refresh token in my SPA - how can I get it?
If SPA is really out of question for this situation, can I retrieve non rotating refresh token using access token and client secret from backend?

I have the user authenticated and authorized to perform API calls in SPA. I want to make non rotating refresh token available to them.

dan.woda · August 26, 2022, 10:11pm

Hi @jmj,

Welcome to the Auth0 Community!

It sounds like you should be issuing the user a set of client credentials as a third party application. More info here: First-Party and Third-Party Applications

jmj · August 26, 2022, 10:23pm

Thanks @dan.woda - yes I read through other similar post and ended up implementing m2m apps and client credentials.

dan.woda · August 26, 2022, 10:23pm

Perfect! Let us know if you have any other questions.

jmj · August 26, 2022, 10:55pm

Since you are asking I have other question where I could use your expertise. Username Password connection, organization & signup