Login/Register
How do I get a refresh token from auth0 passwordless using lock v11?
Asked Answered
Solved javascriptauth0auth0-lock
F

1

13

I have an old-school angularJs app that has two pages. On both of the pages I include the auth0 lock script.

<script src="https://cdn.auth0.com/js/lock/11.9.0/lock.min.js"></script>

Of those two pages, one has the following js that specifies an auth0 lock to allow users to login:

new Auth0LockPasswordless(configuration.id,configuration.domain,
{
    allowedConnections: ['email'],
    passwordlessMethod: "link",
    auth: {
        redirectUrl: configuration.redirectUrl,
        responseType: 'token id_token',
        params: {
            scope: 'openid profile email offline_access'
        }
    }
}).show();

and the other page is responsible for the call-back after they've clicked the link in their email.

var lock = new Auth0LockPasswordless(configuration.id, configuration.domain);

lock.on('authorization_error',
    function(authResult) {
        console.log("DEBUG::AUTHRESULT::", authResult);
});

lock.on('authenticated',
    function(authResult) {
        console.log("DEBUG::AUTHRESULT::", authResult);
});

Now I've set offline_access in the scope of the request, and on my local environment been prompted for additional permissions when authenticating (so it's making it through). However when I check the log from the lock.on('authenticated', function(authResult).. refreshToken is always null.

There's some conflicting documentation around the web, with both suggestions that lock will and wont return a refresh token. Is anyone able to confirm if this code should result in a valid refreshToken?

Flesher answered 27/10, 2018 at 21:50 Comment(7)
Hello Lucas, it definitely appears that it is possible to get a refresh token even when using passwordless authentication. I did some searching and discovered that you may be having problems because of how your rules are setup. Can you confirm this?Greensboro
@NathanielFredericks, I do have some custom rules. None of which make reference to the refresh token. What exactly is it about the rules that would cause this issue?Flesher
What is your grant_type? It should be refresh_token.Greensboro
As far as I'm aware you don't set grant_type on the passwordless lock settings. I added it as a test to the auth.params.grant_type: 'refresh_token'. however the auth0 response still has a null refreshToken.Flesher
I am not sure...Greensboro
If it's a client-side web app, I think you should not use offline_access or refresh tokens, and instead implement silent signin. Refresh tokens should never be sent to the browser. auth0.com/docs/tokens/refresh-token/currentBiennial
It should be noted that Auth0 recently introduced Refresh Token Rotation auth0.com/docs/tokens/concepts/refresh-token-rotation, which is also supported by the Auth0 SPA SDKSarette
S
1

As @user44 said above in the comments, you shouldn't use a refresh token in a SPA (Single Page Application), as it's not a secure client and way to store it securely. Instead, use the silent authentication approach to request new access tokens.

https://auth0.com/docs/api-auth/tutorials/silent-authentication

Depending on which SDK you're using, either auth0-spa-js or auth0.js:

(Disclaimer: I work at Auth0 as Sr. Solutions Engineer)

Update (07. May 2020):

It should be noted that Auth0 recently introduced Refresh Token Rotation https://auth0.com/docs/tokens/concepts/refresh-token-rotation, which is also supported by the Auth0 SPA SDK

Sarette answered 6/4, 2020 at 8:11 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.