auth0.js icon indicating copy to clipboard operation
auth0.js copied to clipboard
verified publisher icon auth0

refreshToken every time null

Open mohammad-aljamil opened this issue 1 year ago • 1 comments

Checklist

  • [X] The issue can be reproduced in the auth0-js sample app (or N/A).
  • [X] I have looked into the Readme and Examples, and have not found a suitable solution or answer.
  • [X] I have looked into the API documentation and have not found a suitable solution or answer.
  • [X] I have searched the issues and have not found a suitable solution or answer.
  • [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • [X] I agree to the terms within the Auth0 Code of Conduct.

Description

the refreshToken every time return null

i Enabled offline_access from app settings

this.auth0 = new auth0.WebAuth({
      domain:'AUTH0_DOMAIN',
      audience:'AUTH0_API_AUDIENCE',
      clientID:'AUTH0_CLIENT_ID'),
      redirectUri: window.location.origin + '/callback',
      responseType: 'token id_token',
      scope: ['openid', 'profile', 'email', 'user_metadata', 'offline_access'].join(' '),
    });
    
      silentAuth = () => {
    return new Promise((resolve, reject) => {
      this.auth0.checkSession({}, (err, authResult) => {
        if (err) return reject(err);
        if (!err) {
    
          resolve(authResult);
        }
      });
    });
  };

this json

{
    "accessToken": "xxxx",
    "idToken": "xxxxx",
    "idTokenPayload": {... details }
    "appState": "xxx",
    "refreshToken": null, 
    "state": "xxx",
    "expiresIn": 7200,
    "tokenType": "Bearer",
    "scope": "openid profile email offline_access"
}

when used react auth0 i can get refreshToken

Reproduction

1-silentAuth

Additional context

No response

auth0-js version

9.26.1

Which browsers have you tested in?

Edge, Other

mohammad-aljamil avatar Jun 30 '24 08:06 mohammad-aljamil

According to the official openid documentation: https://openid.net/specs/openid-connect-core-1_0.html#Authentication -> what you're trying to achieve is not possible:

  • response_type: 'token id_token' -> implicit flow

but the implicit flow does not support refresh tokens.

What you have to do is change your flow to either:

  • response_type: 'code id_token token' -> hybrid flow with id_token
  • response_type: 'code token' -> hybrid flow without id_token

meck93 avatar Aug 22 '24 10:08 meck93

Hi @mohammad-aljamil,

Thank you for reporting this issue, and apologies for the delayed response — we appreciate your patience.

Why is refreshToken null?

Because your app is using Implicit Flow (responseType: 'token id_token'), which never returns refresh tokens, even if you request the offline_access scope.

What’s happening?

  • You correctly request offline_access — which is required for refresh tokens ✅
  • But since the app uses Implicit Flow, Auth0 does not issue refresh tokens ❌
  • Implicit Flow delivers tokens via URL hash, which is not secure enough for refresh tokens
  • Refresh tokens require a more secure flow like Authorization Code with PKCE

Why?

Implicit Flow is designed for browser-only apps and cannot safely store long-lived credentials like refresh tokens. OAuth2 and Auth0 explicitly disallow refresh tokens in this flow for security reasons.

If you have any questions or need further help, please feel free to reach out or add a comment

amitsingh05667 avatar Jul 11 '25 07:07 amitsingh05667