Rules and Refresh Tokens

Perhaps this has been answered elsewhere, but if so, I haven’t been able to find it.

I am requesting a refresh token as specified here: I have a series of rules that should execute before the result is returned to the callback.

I have confirmed that the refresh token is returned to the callback url. However, given that Auth0 explicitly states that best practice is to handle it server-side, I am looking to strip the refresh token out of the return object in one of the rules, and upsert it to a backend server, eliminating any user-security issues.

However, the refresh token does not appear accessible inside of the rule, and in fact only appears to be accessible from the client. This seems like a rather strange default.

Is there a way to retrieve the refresh token in the rule? Barring that, I suppose I can make a follow-up request from the client, but that seems insecure, and it bothers me somewhat that that seems to be the easy path here.

Hi James,

Which flow are you using? Implicit? Auth Code? Auth Code + PKCE?

For the scenario you describe Auth Code keeps the access and refresh tokens on the server side, without any additional effort.