Rules and Refresh Tokens

Perhaps this has been answered elsewhere, but if so, I haven’t been able to find it.

I am requesting a refresh token as specified here: Get Refresh Tokens. I have a series of rules that should execute before the result is returned to the callback.

I have confirmed that the refresh token is returned to the callback url. However, given that Auth0 explicitly states that best practice is to handle it server-side, I am looking to strip the refresh token out of the return object in one of the rules, and upsert it to a backend server, eliminating any user-security issues.

However, the refresh token does not appear accessible inside of the rule, and in fact only appears to be accessible from the client. This seems like a rather strange default.

Is there a way to retrieve the refresh token in the rule? Barring that, I suppose I can make a follow-up request from the client, but that seems insecure, and it bothers me somewhat that that seems to be the easy path here.

Hi James,

Which flow are you using? Implicit? Auth Code? Auth Code + PKCE?

For the scenario you describe Auth Code keeps the access and refresh tokens on the server side, without any additional effort.

John

Hey there!

As this topic is related to Rules - Hooks - Actions and Rules & Hooks are being deprecated soon I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!