Hi, I have a React App (Frontend) talking to a Java backend Rest API.
The user logs in the frontend, which send a request to Auth0. Auth0 returns an accessToken, and with this token, the user can use the application -whenever a rest api call is needed, the token is send to the rest api for an authorization check - in short - we are using the “Resource Owner Password Grant” flow.
Now we want to add the refresh token, so that, when the accessToken expires, we can get a new accessToken for the user. I checked the auth0 documentation, there is a lot of BLAH regarding refresh tokens, more then I would ever ask for - the web is full of that… but explanation of how to ACTUALLY get a refresh token, is sparse - the only explanation I found was how to make it work with the Auth0 popups - but those we don’t want to use. Also I found a request explaining how to add the client secret.
That’s also not an option - it’s the frontend, so the client secret would be visible in clear text to all our customers! So how does this actually work? Should the Java backend retrieve a refresh token instead and send it to the client over some other rest api? I don’t like this option much either, because then I would strongly couple auth0 with my backend - Right now the customer comes with a token, the backend validates the token, but there is no actual security logic in place, so everything is nicely decoupled.