Menu
I have an old-school angularJs app that has two pages. On both of the pages I include the auth0 lock script.
<script src="https://cdn.auth0.com/js/lock/11.9.0/lock.min.js"></script>
Of those two pages, one has the following js that specifies an auth0 lock to allow users to login:
new Auth0LockPasswordless(configuration.id,configuration.domain,
{
allowedConnections: ['email'],
passwordlessMethod: "link",
auth: {
redirectUrl: configuration.redirectUrl,
responseType: 'token id_token',
params: {
scope: 'openid profile email offline_access'
}
}
}).show();
and the other page is responsible for the call-back after they've clicked the link in their email.
var lock = new Auth0LockPasswordless(configuration.id, configuration.domain);
lock.on('authorization_error',
function(authResult) {
console.log("DEBUG::AUTHRESULT::", authResult);
});
lock.on('authenticated',
function(authResult) {
console.log("DEBUG::AUTHRESULT::", authResult);
});
Now I've set offline_access in the scope of the request, and on my local environment been prompted for additional permissions when authenticating (so it's making it through). However when I check the log from the lock.on('authenticated', function(authResult).. refreshToken is always null.
There's some conflicting documentation around the web, with both suggestions that lock will and wont return a refresh token. Is anyone able to confirm if this code should result in a valid refreshToken?
859
To get a refresh token , you must include the offline_access scope when you initiate an authentication request through the /authorize endpoint. Be sure to initiate Offline Access in your API. For more information, read API Settings.
In order to get an access token with a refresh token, you just need to ask for the offline access type (for example in PHP: $client->setAccessType("offline"); ) and you will get it.
If your app needs to call APIs on behalf of the user, access tokens and (optionally) refresh tokens are needed. These can be stored server-side or in a session cookie. The cookie needs to be encrypted and have a maximum size of 4 KB.
Refresh tokens are random strings generated by the authentication server. They are generated after successful authentication (for example, if the username and password of the user are valid). Their sole purpose is to remove the need to exchange user credentials repeatedly. They are different from access-tokens.
As @user44 said above in the comments, you shouldn't use a refresh token in a SPA (Single Page Application), as it's not a secure client and way to store it securely. Instead, use the silent authentication approach to request new access tokens.
https://auth0.com/docs/api-auth/tutorials/silent-authentication
Depending on which SDK you're using, either auth0-spa-js or auth0.js:
https://auth0.github.io/auth0-spa-js/classes/auth0client.html#gettokensilently
https://auth0.com/docs/libraries/auth0js/v9#polling-with-checksession-
(Disclaimer: I work at Auth0 as Sr. Solutions Engineer)
Update (07. May 2020):
It should be noted that Auth0 recently introduced Refresh Token Rotation https://auth0.com/docs/tokens/concepts/refresh-token-rotation, which is also supported by the Auth0 SPA SDK
166
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
