Tradestation & Refresh Tokens

I’m using the auth0-react SDK to connect my app to the Tradestation API. They use Auth0 as their library of choice, and I think I may be the first person to ever use it because I’ve been hitting problem after problem and there’s no questions or comments from anyone else online about it. As of right now, I’m able to use Auth0-react to sign into my application, and get an access token to make requests from their API and successfully make those requests.

The problem I’m having now is that after 20 minutes, my access token expires and Auth0 is failing to use refresh tokens to get a new access token. Upon investigation, I can see that after redirecting back to my app from the tradestation signin page, Auth0 makes a call to to get the access token and refresh token. I’ve included “offline_access” scope, and I’ve configured my Auth0Provider to useRefreshTokens, but the response from that end-point does not include any refresh tokens. This explains why I’m unable to stay logged in after 20 minutes!

I contacted Tradestation about this problem, and they responded:

By default, v3 refresh tokens do not expire. Normally, a long-lived refresh token is not suitable for storage in a single page application because there is no persistent storage mechanism in a browser that can assure access by the intended application only.

The offline_access scope will permit the code exchange to return a refresh token, provided the POST request does not include an “Origin” header. Requests made in a browser typically inject an “Origin” header. Is the code exchange made in the browser after logging in?

With that said, you might consider making the code exchange one time manually outside the browser and then using the refresh token repeatedly to generate new access tokens as needed. The refresh token will not expire.

So, I wrote a chrome extension to remove request headers for “Origin”, and that resulted in the call to /oauth/token to fail with a CORS error (of course). So, I’m confused. Is it normal for the server to not send the refresh_token if an “Origin” header is provided?

Was the TS support person trying to say that I’m specifically not allowed to get a refresh token because I’m building a browser based application and that would be insecure since the refresh tokens don’t expire? Is that normal?

What are my options from an Auth0 perspective? Do I need to configure auth0 to use a local proxy server (I’d spin one up for this purpose) to make the request to tradestation’s /oauth/token end-point?

I realize that Auth0 isn’t responsible for the tradestation implementation, but I’m hoping I can get some guidance from this community…

1 Like

Hi @jamesmarkosullivan,

Thanks for posting in the Auth0 Community.

I need more information from you to understand the issue.

  • Please share the intended flow in detail from an application & user perspective
  • Are you using Auth0 New Universal Login?
  • What are your current configurations in Aurh0?
  • Would you be able to send a HAR file of your authentication flow over a private message? That would help me understand your current flow and configurations.
  • Also, it would be great if you could send me the link to the Auth0 SDK & version you are using.

That’s correct, Refresh Tokens in Auth0 typically never expire, and SPAs cannot securely store tokens, secrets, etc; in any client (browser) context. However, we recommend using Refresh Token Rotation.

RTR makes the use of Refresh Tokens a substitute for silent auth viable in a SPA context because it minimizes the security should a Refresh Token get leaked:

  • A Rotating Refresh Token has a finite lifetime
  • An RTR can’t be reused
  • Besides working with ITP2, extra protection is provided by Reuse Detection against potentially stolen tokens.

Hope this helps!

1 Like