I have two apis
In first one I can’t find “Allow Offline Access” option. My question is why?
In second api I have this option and it is enabled
I sending POST to
https://preciselab.eu.auth0.com/oauth/token
With default api as audience
Then I can see
{
"access_token": "___",
"scope": "read:client_grants create:client_grants delete:client_grants update:client_grants read:users update:users delete:users create:users read:users_app_metadata update:users_app_metadata delete:users_app_metadata create:users_app_metadata read:user_custom_blocks create:user_custom_blocks delete:user_custom_blocks create:user_tickets read:clients update:clients delete:clients create:clients read:client_keys update:client_keys delete:client_keys create:client_keys read:connections update:connections delete:connections create:connections read:resource_servers update:resource_servers delete:resource_servers create:resource_servers read:device_credentials update:device_credentials delete:device_credentials create:device_credentials read:rules update:rules delete:rules create:rules read:rules_configs update:rules_configs delete:rules_configs read:hooks update:hooks delete:hooks create:hooks read:actions update:actions delete:actions create:actions read:email_provider update:email_provider delete:email_provider create:email_provider blacklist:tokens read:stats read:insights read:tenant_settings update:tenant_settings read:logs read:logs_users read:shields create:shields update:shields delete:shields read:anomaly_blocks delete:anomaly_blocks update:triggers read:triggers read:grants delete:grants read:guardian_factors update:guardian_factors read:guardian_enrollments delete:guardian_enrollments create:guardian_enrollment_tickets read:user_idp_tokens create:passwords_checking_job delete:passwords_checking_job read:custom_domains delete:custom_domains create:custom_domains update:custom_domains read:email_templates create:email_templates update:email_templates read:mfa_policies update:mfa_policies read:roles create:roles delete:roles update:roles read:prompts update:prompts read:branding update:branding delete:branding read:log_streams create:log_streams delete:log_streams update:log_streams create:signing_keys read:signing_keys update:signing_keys read:limits update:limits create:role_members read:role_members delete:role_members read:entitlements read:attack_protection update:attack_protection read:organizations update:organizations create:organizations delete:organizations create:organization_members read:organization_members delete:organization_members create:organization_connections read:organization_connections update:organization_connections delete:organization_connections create:organization_member_roles read:organization_member_roles delete:organization_member_roles create:organization_invitations read:organization_invitations delete:organization_invitations",
"expires_in": 2592000,
"token_type": "Bearer"
}
Access token decoded as jwt is
{
"iss": "https://preciselab.eu.auth0.com/",
"sub": "FpQkenaMTfIsYSCXL2zWpdyxJNJ0Z1wx@clients",
"aud": "https://preciselab.eu.auth0.com/api/v2/",
"iat": 1637156478,
"exp": 1639748478,
"azp": "FpQkenaMTfIsYSCXL2zWpdyxJNJ0Z1wx",
"scope": "read:client_grants create:client_grants delete:client_grants update:client_grants read:users update:users delete:users create:users read:users_app_metadata update:users_app_metadata delete:users_app_metadata create:users_app_metadata read:user_custom_blocks create:user_custom_blocks delete:user_custom_blocks create:user_tickets read:clients update:clients delete:clients create:clients read:client_keys update:client_keys delete:client_keys create:client_keys read:connections update:connections delete:connections create:connections read:resource_servers update:resource_servers delete:resource_servers create:resource_servers read:device_credentials update:device_credentials delete:device_credentials create:device_credentials read:rules update:rules delete:rules create:rules read:rules_configs update:rules_configs delete:rules_configs read:hooks update:hooks delete:hooks create:hooks read:actions update:actions delete:actions create:actions read:email_provider update:email_provider delete:email_provider create:email_provider blacklist:tokens read:stats read:insights read:tenant_settings update:tenant_settings read:logs read:logs_users read:shields create:shields update:shields delete:shields read:anomaly_blocks delete:anomaly_blocks update:triggers read:triggers read:grants delete:grants read:guardian_factors update:guardian_factors read:guardian_enrollments delete:guardian_enrollments create:guardian_enrollment_tickets read:user_idp_tokens create:passwords_checking_job delete:passwords_checking_job read:custom_domains delete:custom_domains create:custom_domains update:custom_domains read:email_templates create:email_templates update:email_templates read:mfa_policies update:mfa_policies read:roles create:roles delete:roles update:roles read:prompts update:prompts read:branding update:branding delete:branding read:log_streams create:log_streams delete:log_streams update:log_streams create:signing_keys read:signing_keys update:signing_keys read:limits update:limits create:role_members read:role_members delete:role_members read:entitlements read:attack_protection update:attack_protection read:organizations update:organizations create:organizations delete:organizations create:organization_members read:organization_members delete:organization_members create:organization_connections read:organization_connections update:organization_connections delete:organization_connections create:organization_member_roles read:organization_member_roles delete:organization_member_roles create:organization_invitations read:organization_invitations delete:organization_invitations",
"gty": "client-credentials"
}
Then I asking about user to get his google refresh token
https://preciselab.eu.auth0.com/api/v2/users/google-oauth2|108561822785941523583
With access token from previous request as Bearer token in Authorization header and I see
{
"created_at": "2021-10-22T11:04:25.193Z",
"email": "gustaw.daniel@gmail.com",
"email_verified": true,
"family_name": "Gustaw",
"given_name": "Daniel",
"identities": [
{
"provider": "google-oauth2",
"access_token": "___",
"expires_in": 3599,
"user_id": "108561822785941523583",
"connection": "google-oauth2",
"isSocial": true
}
],
"locale": "pl",
"name": "Daniel Gustaw",
"nickname": "gustaw.daniel",
"picture": "https://lh3.googleusercontent.com/a-/AOh14GiBnN26LjSWpLdXQyydRT419svcoitwQg_7vr94OQ=s96-c",
"updated_at": "2021-11-16T20:40:38.926Z",
"user_id": "google-oauth2|108561822785941523583",
"last_ip": "82.214.171.158",
"last_login": "2021-11-16T20:40:38.926Z",
"logins_count": 49
}
without google refresh token.
So I try to use custom api and I send POST to
https://preciselab.eu.auth0.com/oauth/token
With custom api as audience
But now I can’t see scopes in response
{
"access_token": "___",
"scope": "read:users read:user_idp_tokens",
"expires_in": 86400,
"token_type": "Bearer"
}
This access token has payload
{
"iss": "https://preciselab.eu.auth0.com/",
"sub": "FpQkenaMTfIsYSCXL2zWpdyxJNJ0Z1wx@clients",
"aud": "offline",
"iat": 1637157257,
"exp": 1637243657,
"azp": "FpQkenaMTfIsYSCXL2zWpdyxJNJ0Z1wx",
"scope": "read:users read:user_idp_tokens",
"gty": "client-credentials"
}
So scopes are the same like in docs:
read:users read:user_idp_tokens
using this token I received
{
"statusCode": 401,
"error": "Unauthorized",
"message": "Invalid token"
}
from query about user.