Perhaps this has been answered elsewhere, but if so, I haven’t been able to find it.
I am requesting a refresh token as specified here: Get Refresh Tokens. I have a series of rules that should execute before the result is returned to the callback.
I have confirmed that the refresh token is returned to the callback url. However, given that Auth0 explicitly states that best practice is to handle it server-side, I am looking to strip the refresh token out of the return object in one of the rules, and upsert it to a backend server, eliminating any user-security issues.
However, the refresh token does not appear accessible inside of the rule, and in fact only appears to be accessible from the client. This seems like a rather strange default.
Is there a way to retrieve the refresh token in the rule? Barring that, I suppose I can make a follow-up request from the client, but that seems insecure, and it bothers me somewhat that that seems to be the easy path here.