Unable to retrieve a refresh token using the passwordless link method

I’ve created a native application and defined the Allowed Callback URLs corresponding to my native app.
I’ve set the grant types to Refresh Token, Implicit and Passwordless OTP.
I’ve configured the passwordless connection and I am able to receive emails.

I am requesting a passwordless link using the passwordless/start api ( Authentication API Explorer).

fetcher(`https://${AUTH0_DOMAIN}/passwordless/start`, {
  method: 'post',
  body: JSON.stringify({
    client_id: AUTH0_CLIENT_ID,
    connection: 'email',
    send: 'link',
    email: values.email,
    authParams: {
      scope: 'openid email profile offline_access'
    },
  }),
})

I receive an email with the following example link (
https://xxx.auth0.com/passwordless/verify_redirect?scope=openid%20email%20profile%20offline_access&response_type=token&redirect_uri=xxx&grant_type=token&verification_code=xxx&connection=email&client_id=xxx&email=xxx).

After clicking the url, my native app opens and the deep link contains: xxx://xxx.auth0.com/ios/xxx/callback#access_token=xxx&scope=openid%20profile%20email%20offline_access&expires_in=7200&token_type=Bearer

Since this is a native application I would like to use refresh tokens as recommended.

ps:
if I use a code instead of a magic link I am able to get a refresh token using oauth/token api (Authentication API Explorer)

 fetcher(`https://${AUTH0_DOMAIN}/oauth/token`, {
  method: 'post',
  body: JSON.stringify({
    client_id: Config.AUTH0_CLIENT_ID,
    grant_type: 'http://auth0.com/oauth/grant-type/passwordless/otp',
    connection: 'email',
    realm: 'email',
    username: values.email,
    otp: values.code,
    scope: 'openid email profile offline_access',
  }),
})

This correctly returns me an access and refresh token. But this flow kills the whole usefulness of magic links since now codes need to copy/pasted manually.

How did you get it to work with the OTP code? I’m having the same issue but with SMS instead, no refresh token is available.

This is the reply I got from auth0.

Hi There, You can use use refresh token flow if you are executing one of the following oauth2.0 flows.

• Authorization Code Flow
• Authorization Code Flow with Proof Key for Code Exchange (PKCE)
• Resource Owner Password Flow
• Device Authorization Flow

Token Best Practices flow is not part of Oauth2.0 grant flows. Hence, it is not supported.

As mentioned before, if you use Universal Login Flow and implement passwordless login via Hosted Login Page, you can create longer session for the user via refresh token. In that case, application will be executing Authorization Code Grant flow.

We have opted to use a code instead of a magic link and calling the /oauth/token endpoint to get a refresh token.

Thanks for sharing that with the rest of community!

Thanks for the link! Flipping the Allow Offline Access switch in my API helped solve the issue. Now Auth0 response includes the refresh token. Perhaps setting the same for your API and also including an audience param could solve your issue aswell?

1. Call the /v2/oauth2/token endpoint and pass the refresh token along with these parameters.
2. grant_type —Specify the string refresh_token .
3. refresh_token —The refresh token you created.
4. valid_for —Number of seconds until the access token expires. Default is 60 seconds.

liteblue login

Hello everyone! I would like to know if for passwordless link method that response is still valid, isn’t there a way to get a refresh token? Thank you