Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I get a refresh token from auth0 passwordless using lock v11?

I have an old-school angularJs app that has two pages. On both of the pages I include the auth0 lock script.

<script src="https://cdn.auth0.com/js/lock/11.9.0/lock.min.js"></script>

Of those two pages, one has the following js that specifies an auth0 lock to allow users to login:

new Auth0LockPasswordless(configuration.id,configuration.domain,
{
    allowedConnections: ['email'],
    passwordlessMethod: "link",
    auth: {
        redirectUrl: configuration.redirectUrl,
        responseType: 'token id_token',
        params: {
            scope: 'openid profile email offline_access'
        }
    }
}).show();

and the other page is responsible for the call-back after they've clicked the link in their email.

var lock = new Auth0LockPasswordless(configuration.id, configuration.domain);

lock.on('authorization_error',
    function(authResult) {
        console.log("DEBUG::AUTHRESULT::", authResult);
});

lock.on('authenticated',
    function(authResult) {
        console.log("DEBUG::AUTHRESULT::", authResult);
});

Now I've set offline_access in the scope of the request, and on my local environment been prompted for additional permissions when authenticating (so it's making it through). However when I check the log from the lock.on('authenticated', function(authResult).. refreshToken is always null.

There's some conflicting documentation around the web, with both suggestions that lock will and wont return a refresh token. Is anyone able to confirm if this code should result in a valid refreshToken?

like image 859
Lucas Avatar asked Oct 27 '18 21:10

Lucas


People also ask

How do I get my auth0 refresh token?

To get a refresh token , you must include the offline_access scope when you initiate an authentication request through the /authorize endpoint. Be sure to initiate Offline Access in your API. For more information, read API Settings.

How do I get the access token from refresh token?

In order to get an access token with a refresh token, you just need to ask for the offline access type (for example in PHP: $client->setAccessType("offline"); ) and you will get it.

Where does auth0 store refresh token?

If your app needs to call APIs on behalf of the user, access tokens and (optionally) refresh tokens are needed. These can be stored server-side or in a session cookie. The cookie needs to be encrypted and have a maximum size of 4 KB.

How is refresh token generated?

Refresh tokens are random strings generated by the authentication server. They are generated after successful authentication (for example, if the username and password of the user are valid). Their sole purpose is to remove the need to exchange user credentials repeatedly. They are different from access-tokens.


1 Answers

As @user44 said above in the comments, you shouldn't use a refresh token in a SPA (Single Page Application), as it's not a secure client and way to store it securely. Instead, use the silent authentication approach to request new access tokens.

https://auth0.com/docs/api-auth/tutorials/silent-authentication

Depending on which SDK you're using, either auth0-spa-js or auth0.js:

  • https://auth0.github.io/auth0-spa-js/classes/auth0client.html#gettokensilently

  • https://auth0.com/docs/libraries/auth0js/v9#polling-with-checksession-

(Disclaimer: I work at Auth0 as Sr. Solutions Engineer)


Update (07. May 2020):

It should be noted that Auth0 recently introduced Refresh Token Rotation https://auth0.com/docs/tokens/concepts/refresh-token-rotation, which is also supported by the Auth0 SPA SDK

like image 166
Mathias Conradt Avatar answered Oct 21 '22 00:10

Mathias Conradt