Last updated: Nov 14th, 2024
Overview
Repeated instances of this message appear in the tenant logs after deploying a Single Page Application (SPA):
The scope ‘offline_access’ was requested, but no ‘refresh_token’ was issued because the authorization code exchange originated from a browser.
- These errors are typically associated with a specific application.
- If more than one application has been misconfigured, these messages may be associated with two or more applications.
Applies To
- Refresh Tokens
- Single Page Applications (SPA)
- Authorization Code Exchange
Cause
Non-rotating refresh tokens are considered more sensitive compared to rotating refresh tokens. It is recommended to use rotating refresh tokens instead of non-rotating refresh tokens for SPA and Mobile type applications.
When the non-rotating refresh token is enabled for the application, and if the client sends the Origin header for code exchange request with POST /oauth/token call, Auth0, by default, prevents issuing tokens and throws this error.
Solution
Auth0 recommends using rotational refresh tokens from browsers. The default setup does not allow the use of non-rotating refresh tokens from browsers. If non-rotating refresh tokens must be used from the browsers, please open a support ticket with Auth0.
For applications that perform the token exchange outside browsers and need non-rotating refresh tokens, ensure the Origin header is not sent with POST /oauth/token call.
If a self-managed custom domain is configured on the tenant, removing the Origin header following these steps on the custom domain proxy may also be possible.
- Filter requests with client_id=APP_CLIENT_ID and grant_type=authorization_code for POST /oauth/token calls
- Remove the Origin header for the matching requests