Hi,
I have a native app with a fully custom UI that uses passwordless via SMS for sign up and authentication.
I have that working by POSTing to /passwordless/start
to trigger the sending of the code over SMS, and once the user enters the received code in the app I authenticate them with a POST to oauth/token
sent with a grant_type
of http://auth0.com/oauth/grant-type/passwordless/otp
and include offline_access
in the scope
.
This works great in that I get back the access_token
, id_token
and refresh_token
. No problems there.
Where I’m stuck is on using the refresh_token
.
I tried POSTing to oauth/token
with a grant_type
of refresh_token
and all the other required fields as detailed in the docs at https://auth0.com/docs/security/tokens/refresh-tokens/use-refresh-tokens but I get an error:
{ error: 'access_denied', error_description: 'Unauthorized' }
So the fact that that isn’t working is my first problem that I’m hoping someone can help with.
My second concern is that this approach to using the refresh_token
requires having the client secret in the native app which seems like a security risk.
Is there a better way to make use of the refresh token from a native app?
Thanks!