Token refresh does not work in `auth0-spa-js`

ivk · June 28, 2022, 9:42am

Issue:
Token refresh does not work in auth0-spa-js

Description:
The auth0-spa-js can be configured to refresh tokens (useRefreshTokens flag).
When an access token is expired getTokenSilently() tries to refresh it automatically.
But getTokenSilently() does not pass scope to the /token endpoint.
As a result, an ID token is not returned back and the “ID token is required but missing ” error is thrown.

Use-case:

Create a SPA with an automatic token refresh (useRefreshTokens) as explained in the Getting Started section:
@auth0/auth0-spa-js - npm
Decrease lifetime of ID or access token to 70 seconds on https://manage.auth0.com.
Open SPA and wait for 11 seconds (till the token is expired).
Call getTokenSilently() function.

Actual result: The “ID token is required but missing ” error is thrown.

Expected result: The tokes are refreshed.

konrad.sopala · July 18, 2022, 10:08am

Hey there!

Thanks for creating this feedback card however the most effective way to handle that would be to raise a GitHub issue in the auth0-spa-js repo so we can work on that directly with the repo maintainers. Can you do that and then share a link to it here so we can ping them? Thank you!

ivk · July 18, 2022, 12:58pm

Thank you for letting me know!

I was asked to report it as feedback in support ticket that I created earlier:

Also, you may consider leaving us product feedback about this: Auth0: Secure access for everyone. But not just anyone. Any feedback reported through that channel goes directly to our product team in order to help them prioritize future work.

Here is the created GitHub issue:

github.com/auth0/auth0-spa-js

Token refresh does not work in `auth0-spa-js`

opened 12:52PM - 18 Jul 22 UTC

closed 10:26AM - 08 Aug 22 UTC

sc-ivankorshun

bug report

### Describe the problem The `auth0-spa-js` can be configured to refresh toke…ns (`useRefreshTokens` flag). When an access token is expired `getTokenSilently()` tries to refresh it automatically. But `getTokenSilently()` does not pass scope to the `/token` endpoint. As a result, an ID token is not returned back and the “`ID token is required but missing`” error is thrown. ### Reproduction 1. Create a SPA with an automatic token refresh (`useRefreshTokens`) as explained in the Getting Started section: [@auth0/auth0-spa-js - npm](https://www.npmjs.com/package/@auth0/auth0-spa-js) 2. Decrease lifetime of ID or access token to 70 seconds on https://manage.auth0.com/. 3. Open SPA and wait for 11 seconds (till the token is expired). 4. Call `getTokenSilently()` function. **Actual result**: The “`ID token is required but missing`” error is thrown. **Expected result:** The tokes are refreshed. ### Environment - Version of `auth0-spa-js` used: `https://cdn.auth0.com/js/auth0-spa-js/1.22/auth0-spa-js.production.js` - Which browsers have you tested in? Chrome. - Which framework are you using, if applicable (Angular, React, etc): reproduced on both pure `auth0-spa-js` and React. - Other modules/plugins/libraries that might be involved: no.

konrad.sopala · July 19, 2022, 12:51pm

Perfect, thanks a lot for doing that!