Using refresh tokens with realms

We have 2 database connection setup and are noticing that there are differences in how an access token is obtained via a refresh token when authenticating with the grant type password vs http://auth0.com/oauth/grant-type/password-realm.

With a refresh token from a password grant type, all the claims and scopes are retained in the new access token.

With a refresh token from a http://auth0.com/oauth/grant-type/password-realm grant type, we lose custom claims and all original scope except for offline_access.

Is there a configuration or way to make the refresh token for http://auth0.com/oauth/grant-type/password-realm to behave the same way as the password grant type, in other words retain all the claims and scopes in the new access token?

Hi there @dai.le welcome to the community!

I was just able to test this on my end, and can’t seem to reproduce the issue you are seeing - I am seeing the expected behavior where while using the http://auth0.com/oauth/grant-type/password-realm grant type, the access token received in the refresh token flow contains the same scopes and claims as the initial access token.

Are you just omitting scopes in the request using the refresh token? Doing so should just return whatever was included in the initial request in which the refresh token was received.

Let us know!

Hi @tyf

The scopes are not included in the request using the refresh token.

We have an email thread going with @cody.mansfield on this, also. Will do more testing and update in email thread.

Thanks,
Dai

1 Like

Great! Thanks for the heads up - Please do keep us posted here as well!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.