Auth0 Home Blog Docs

Unable to get refresh token using lock 11.7 and angular-lock



I am using lock 11.7 and angular-lock module ( When user login i get access_token and id_token but not getting refresh token. Here is the params that I am passing.

clientID: config.AUTH_CLIENT_ID,
domain: config.AUTH0_DOMAIN,
options: {
autoclose: true,
auth: {
redirect: false,
responseType: ‘token id_token’,
prompt: ‘login’,
params: {
scope: ‘openid offline_access profile email phone’ // Added offline_access so that we can get refresh token
audience: https://${config.AUTH0_DOMAIN}/api/v2/
theme: {
authButtons: {
“facebook”: {
primaryColor: “#3b5998
“google-auth2”: {
primaryColor: “#dd4b39
primaryColor: “#007bb6
languageDictionary: {
title: “”


You should not use a refresh token with the implicit grant flow. You don’t want to use a refresh token with a public client like an SPA because refresh tokens should only be used from protected clients that are safe to store a client secret.

Instead of using a refresh token, try taking advantage of the auth0 checkSession call to refresh your tokens. See here:


Ok I am not sure if I 100% understand it but what I want to achieve is keep logged in feature with lock i.e user should be logged in always till users logs out i.e get the token from refresh token in frontend. Does above checkSession method gets new token from expired access_token?


Correct, when your access token expires, you can use the checkSession call from auth0.js to get a new access token.

NOTE: this will only continue to get new tokens until the SSO Absolute timeout. This is defined in your tenant settings. The default is 7 days, but you can extend that to up to a month. After that absolute timeout, the user will be prompted for their credentials. Also, if they don’t use the session for 3 days, there is an inactive timeout that will require them to enter credentials again after three days of inactivity.


@Carlos_Mostek Great this solved my problem for web.

But I am also trying to acheive SSO between my extension and web. So both extension and web are using same domain and client. So user signin on extension but go to web page by clicking on a link (this is my web app link which also uses Auth0). On web link on page load I am checking checkSession which is giving me login_required error. I checked on my setting “Use Auth0 instead of the IdP to do Single Sign On” it is disabled but GREEN.

Can you help please


I’m not sure what you mean by “extension”. Is this a native application? Or a browser extension?

Either way, you should be using a browser to redirect to authorize when you log in. If you do this, then you will be getting an SSO cookie on successful login. This will allow you to use checkSession to get new access tokens without requiring the user to login again. Both applications must use the same browser so that the cookies are shared. Otherwise there is no way to do SSO.

NOTE: you do not need to share a client_id between applications to get SSO between the applications. You only need to share a domain (same auth0 tenant).


I would recommend that you don’t use the angular-lock module, and instead use the auth0.js module for logging in.

This will allow you to redirect to the universal login page (you can configure this page in your dashboard).

This will help you avoid issues with banned third-party cookies and other issues associated with embedded login.