Hi,
I have a native app with a fully custom UI that uses passwordless via SMS for sign up and authentication.
I have that working by POSTing to /passwordless/start to trigger the sending of the code over SMS, and once the user enters the received code in the app I authenticate them with a POST to oauth/token sent with a grant_type of http://auth0.com/oauth/grant-type/passwordless/otp and include offline_access in the scope.
This works great in that I get back the access_token, id_token and refresh_token. No problems there.
Where I’m stuck is on using the refresh_token.
I tried POSTing to oauth/token with a grant_type of refresh_token and all the other required fields as detailed in the docs at https://auth0.com/docs/security/tokens/refresh-tokens/use-refresh-tokens but I get an error:
{ error: 'access_denied', error_description: 'Unauthorized' }
So the fact that that isn’t working is my first problem that I’m hoping someone can help with.
My second concern is that this approach to using the refresh_token requires having the client secret in the native app which seems like a security risk.
Is there a better way to make use of the refresh token from a native app?
Thanks!