Why no "Allow Offline Access" option in Default API and Invalid Token for Custom Api?

I have two apis

In first one I can’t find “Allow Offline Access” option. My question is why?

In second api I have this option and it is enabled


I sending POST to

https://preciselab.eu.auth0.com/oauth/token

With default api as audience

Then I can see

{
    "access_token": "___",
    "scope": "read:client_grants create:client_grants delete:client_grants update:client_grants read:users update:users delete:users create:users read:users_app_metadata update:users_app_metadata delete:users_app_metadata create:users_app_metadata read:user_custom_blocks create:user_custom_blocks delete:user_custom_blocks create:user_tickets read:clients update:clients delete:clients create:clients read:client_keys update:client_keys delete:client_keys create:client_keys read:connections update:connections delete:connections create:connections read:resource_servers update:resource_servers delete:resource_servers create:resource_servers read:device_credentials update:device_credentials delete:device_credentials create:device_credentials read:rules update:rules delete:rules create:rules read:rules_configs update:rules_configs delete:rules_configs read:hooks update:hooks delete:hooks create:hooks read:actions update:actions delete:actions create:actions read:email_provider update:email_provider delete:email_provider create:email_provider blacklist:tokens read:stats read:insights read:tenant_settings update:tenant_settings read:logs read:logs_users read:shields create:shields update:shields delete:shields read:anomaly_blocks delete:anomaly_blocks update:triggers read:triggers read:grants delete:grants read:guardian_factors update:guardian_factors read:guardian_enrollments delete:guardian_enrollments create:guardian_enrollment_tickets read:user_idp_tokens create:passwords_checking_job delete:passwords_checking_job read:custom_domains delete:custom_domains create:custom_domains update:custom_domains read:email_templates create:email_templates update:email_templates read:mfa_policies update:mfa_policies read:roles create:roles delete:roles update:roles read:prompts update:prompts read:branding update:branding delete:branding read:log_streams create:log_streams delete:log_streams update:log_streams create:signing_keys read:signing_keys update:signing_keys read:limits update:limits create:role_members read:role_members delete:role_members read:entitlements read:attack_protection update:attack_protection read:organizations update:organizations create:organizations delete:organizations create:organization_members read:organization_members delete:organization_members create:organization_connections read:organization_connections update:organization_connections delete:organization_connections create:organization_member_roles read:organization_member_roles delete:organization_member_roles create:organization_invitations read:organization_invitations delete:organization_invitations",
    "expires_in": 2592000,
    "token_type": "Bearer"
}

Access token decoded as jwt is

{
  "iss": "https://preciselab.eu.auth0.com/",
  "sub": "FpQkenaMTfIsYSCXL2zWpdyxJNJ0Z1wx@clients",
  "aud": "https://preciselab.eu.auth0.com/api/v2/",
  "iat": 1637156478,
  "exp": 1639748478,
  "azp": "FpQkenaMTfIsYSCXL2zWpdyxJNJ0Z1wx",
  "scope": "read:client_grants create:client_grants delete:client_grants update:client_grants read:users update:users delete:users create:users read:users_app_metadata update:users_app_metadata delete:users_app_metadata create:users_app_metadata read:user_custom_blocks create:user_custom_blocks delete:user_custom_blocks create:user_tickets read:clients update:clients delete:clients create:clients read:client_keys update:client_keys delete:client_keys create:client_keys read:connections update:connections delete:connections create:connections read:resource_servers update:resource_servers delete:resource_servers create:resource_servers read:device_credentials update:device_credentials delete:device_credentials create:device_credentials read:rules update:rules delete:rules create:rules read:rules_configs update:rules_configs delete:rules_configs read:hooks update:hooks delete:hooks create:hooks read:actions update:actions delete:actions create:actions read:email_provider update:email_provider delete:email_provider create:email_provider blacklist:tokens read:stats read:insights read:tenant_settings update:tenant_settings read:logs read:logs_users read:shields create:shields update:shields delete:shields read:anomaly_blocks delete:anomaly_blocks update:triggers read:triggers read:grants delete:grants read:guardian_factors update:guardian_factors read:guardian_enrollments delete:guardian_enrollments create:guardian_enrollment_tickets read:user_idp_tokens create:passwords_checking_job delete:passwords_checking_job read:custom_domains delete:custom_domains create:custom_domains update:custom_domains read:email_templates create:email_templates update:email_templates read:mfa_policies update:mfa_policies read:roles create:roles delete:roles update:roles read:prompts update:prompts read:branding update:branding delete:branding read:log_streams create:log_streams delete:log_streams update:log_streams create:signing_keys read:signing_keys update:signing_keys read:limits update:limits create:role_members read:role_members delete:role_members read:entitlements read:attack_protection update:attack_protection read:organizations update:organizations create:organizations delete:organizations create:organization_members read:organization_members delete:organization_members create:organization_connections read:organization_connections update:organization_connections delete:organization_connections create:organization_member_roles read:organization_member_roles delete:organization_member_roles create:organization_invitations read:organization_invitations delete:organization_invitations",
  "gty": "client-credentials"
}

Then I asking about user to get his google refresh token

https://preciselab.eu.auth0.com/api/v2/users/google-oauth2|108561822785941523583

With access token from previous request as Bearer token in Authorization header and I see

{
    "created_at": "2021-10-22T11:04:25.193Z",
    "email": "gustaw.daniel@gmail.com",
    "email_verified": true,
    "family_name": "Gustaw",
    "given_name": "Daniel",
    "identities": [
        {
            "provider": "google-oauth2",
            "access_token": "___",
            "expires_in": 3599,
            "user_id": "108561822785941523583",
            "connection": "google-oauth2",
            "isSocial": true
        }
    ],
    "locale": "pl",
    "name": "Daniel Gustaw",
    "nickname": "gustaw.daniel",
    "picture": "https://lh3.googleusercontent.com/a-/AOh14GiBnN26LjSWpLdXQyydRT419svcoitwQg_7vr94OQ=s96-c",
    "updated_at": "2021-11-16T20:40:38.926Z",
    "user_id": "google-oauth2|108561822785941523583",
    "last_ip": "82.214.171.158",
    "last_login": "2021-11-16T20:40:38.926Z",
    "logins_count": 49
}

without google refresh token.


So I try to use custom api and I send POST to

https://preciselab.eu.auth0.com/oauth/token

With custom api as audience

But now I can’t see scopes in response

{
    "access_token": "___",
    "scope": "read:users read:user_idp_tokens",
    "expires_in": 86400,
    "token_type": "Bearer"
}

This access token has payload

{
  "iss": "https://preciselab.eu.auth0.com/",
  "sub": "FpQkenaMTfIsYSCXL2zWpdyxJNJ0Z1wx@clients",
  "aud": "offline",
  "iat": 1637157257,
  "exp": 1637243657,
  "azp": "FpQkenaMTfIsYSCXL2zWpdyxJNJ0Z1wx",
  "scope": "read:users read:user_idp_tokens",
  "gty": "client-credentials"
}

So scopes are the same like in docs:

read:users read:user_idp_tokens

using this token I received

{
    "statusCode": 401,
    "error": "Unauthorized",
    "message": "Invalid token"
}

from query about user.

This is a setting that would grant refresh tokens for the management API for your tenant. I don’t think this is what you want to do.

I think you are looking to get refresh tokens for Google.

In order to get Google refresh tokens, include the following params when you log in with your user. For example:

GET https://YOUR-TENANT.auth0.com/authorize
  ?client_id=xxx
  &response_type=token
  &redirect_uri=http://YOUR_APP/callback
  &scope=openid%20name%20email
  &access_type=offline
  &connection_scope=YOUR-CONNECTION-SCOPES

The refresh token will not appear until you have logged in again with the user.