I’m using the auth0-react SDK to connect my app to the Tradestation API. They use Auth0 as their library of choice, and I think I may be the first person to ever use it because I’ve been hitting problem after problem and there’s no questions or comments from anyone else online about it. As of right now, I’m able to use Auth0-react to sign into my application, and get an access token to make requests from their API and successfully make those requests.
The problem I’m having now is that after 20 minutes, my access token expires and Auth0 is failing to use refresh tokens to get a new access token. Upon investigation, I can see that after redirecting back to my app from the tradestation signin page, Auth0 makes a call to https://signin.tradestation.com/oauth/token to get the access token and refresh token. I’ve included “offline_access” scope, and I’ve configured my Auth0Provider to useRefreshTokens, but the response from that end-point does not include any refresh tokens. This explains why I’m unable to stay logged in after 20 minutes!
I contacted Tradestation about this problem, and they responded:
By default, v3 refresh tokens do not expire. Normally, a long-lived refresh token is not suitable for storage in a single page application because there is no persistent storage mechanism in a browser that can assure access by the intended application only.
The offline_access scope will permit the code exchange to return a refresh token, provided the POST request does not include an “Origin” header. Requests made in a browser typically inject an “Origin” header. Is the code exchange made in the browser after logging in?
With that said, you might consider making the code exchange one time manually outside the browser and then using the refresh token repeatedly to generate new access tokens as needed. The refresh token will not expire.
So, I wrote a chrome extension to remove request headers for “Origin”, and that resulted in the call to /oauth/token to fail with a CORS error (of course). So, I’m confused. Is it normal for the server to not send the refresh_token if an “Origin” header is provided?
Was the TS support person trying to say that I’m specifically not allowed to get a refresh token because I’m building a browser based application and that would be insecure since the refresh tokens don’t expire? Is that normal?
What are my options from an Auth0 perspective? Do I need to configure auth0 to use a local proxy server (I’d spin one up for this purpose) to make the request to tradestation’s /oauth/token end-point?
I realize that Auth0 isn’t responsible for the tradestation implementation, but I’m hoping I can get some guidance from this community…