We've added support for Refresh Token Rotation!

Support for Refresh Token Rotation!

Auth0 is proud to announce that as of today, Refresh Token Rotation with Reuse Detection is available for all public cloud customers.

Refresh Token Rotation provides a secure method for using refresh tokens in SPAs while providing end-users with seamless access to resources without the disruption in UX caused by browser privacy technology like ITP.

With Refresh Token Rotation enabled, every time a client exchanges an RT to get a new AT, a new RT is also returned. This means you don’t need to worry about having a long-lived RT that, if compromised, could provide illegitimate access to resources. As RTs are continually exchanged and invalidated, the threat surface area is greatly reduced.

Auth0 makes it easy to get started with Refresh Token Rotation. You can enable this capability for any application using the following flows:

  • OAuth2 Authorization Code Flow
  • OAuth2 Authorization Code Flow with Proof Key for Code Exchange (PKCE)
  • OAuth2 Device Authorization Grant (Device Flow)
  • Resource Owner Password Grant (ROPG)

Learn more about Refresh Token Rotation from our Director of Product Management in this blog post:

Documentation

SDKs

What other features would you like to see? Submit your ideas to our feedback page.

Give it a try and let us know what you think!

Thank you for this update!
Hi, I’m interested in reading the blog post for secunring SPAs with refresh token rotation, but the link provided seems to be broken.
Good job guys!

Hey there @eduardo!

It’s not broken, the blog post is just not published yet. It should be there within a few hours!

1 Like

Great update!

Just curious how this works with SSO? We’re using cookie based authentication now to handle SSO between our two applications, but we’re experiencing issues with the newest versions of Safari, which has third party cookies disabled by default. Actually the normal authentication with your auth0-spa-js library doesn’t work with that browser.

Refresh Token Rotation is supposedly the solution for that and in fact the login flow for one application works beautifully with the auth0-spa-js when useRefreshTokens is set to true. But instead it breaks our SSO setup, where formerly we were able to navigate to Site B and automatically be logged in there thanks to checkSession and the auth0 cookie.

How is this use case solved with Refresh Tokens?

I just went through this with my little toy Auth0 app.
Not sure if my experience will help you - but just in case, here’s that thread:

TL, DR: enable the local storage option.
Thanks to Steve for explaining!

1 Like

Thanks for sharing that thread here @onpaws!

Hey,

I wanted to know does this newly build feature have any impact on ID Token Expiration time.
Because I have set ID Token Expiration time 108000 seconds but don’t know why it is not reflecting now.

Irrespective of ID Token Expiration time the parseToken method in code always return 7200 seconds in expires_at property.

Could you please shed some light on this issue?

Thanks for this feature - this is great news!

I was looking at the settings for an application, I can see that there is a field called “Refresh Token Lifetime (Absolute)” with a caption “Control the absolute timeout beyond which the refresh_token will expire and no longer be rotated (in seconds)”. Does that mean that we also get a way to set the expiry time for a refresh token? If that’s the case, then this is truly awesome!

update: to answer my own question - yes this allows you to set an expiry time for the refresh token - the expiry time is not extended when the token is rotated. So, this means that you have to re-authenticate every X number of seconds no matter how many time you rotate the refresh token - default is 30 days, and maximum is 90 days.

1 Like

Yep that is correct!

Hi,

When a new token cannot be fetched because of an invalid refreshToken auth0-spa-js throws an unhandled error. This is happening only in localhost. Any idea why it happens in local host, and how should i wrap the library such that if an invalid refresh token is trying to fetch a new access_token it will just logout?

1 Like

Hi, I want to make client in .net application with using Auth0 as a authorization server or OIDC provider.
So please help with sample code in .net for SSO( Login in my website using auth0 credentials and proceed with userinfo details with the roles.

Thanks!!!

Hi @konrad.sopala I believe I’m running into an issue which is tied to this. Can you have a look and give me your thoughts please?

Rotating refresh token locking users out after expiry

Hey Konrad!

I am struggling so hard to actually grab a refresh token from the authorize endpoint.

My response looks like this

Object {
  "authentication": null,
  "errorCode": null,
  "params": Object {
    "access_token": "{My access token}",
    "exp://127.0.0.1:19000/--/expo-auth-session": "",
    "expires_in": "7200",
    "id_token": "{Response id_token (No refresh token in here)}",
    "scope": "openid profile email offline_access",
    "token_type": "Bearer",
  },
  "type": "success",
  "url": "exp://127.0.0.1:19000/--/expo-auth-session#access_token={Long token here}",
}

I have tried switching the type of application and updating offline access on the API… I seriously cannot figure out why I can’t get a refresh token.

This has been an ongoing struggle for quite some time now and all I want to achieve is the ability to have a silent login from my apps secure storage.

Sorry for the long long rant but I am seriously so confused if it is a configuration in my account or if I am just missing a piece of the puzzle.

Here are some params for more context:

  const params = {
    client_id: settings.auth0ClientId,
    redirect_uri: redirectUrl,
    response_type: "token id_token",
    rememberLastLogin: true,
    scope: "openid offline_access profile email",
  };