13

I have an old-school angularJs app that has two pages. On both of the pages I include the auth0 lock script.

<script src="https://cdn.auth0.com/js/lock/11.9.0/lock.min.js"></script>

Of those two pages, one has the following js that specifies an auth0 lock to allow users to login:

new Auth0LockPasswordless(configuration.id,configuration.domain,
{
    allowedConnections: ['email'],
    passwordlessMethod: "link",
    auth: {
        redirectUrl: configuration.redirectUrl,
        responseType: 'token id_token',
        params: {
            scope: 'openid profile email offline_access'
        }
    }
}).show();

and the other page is responsible for the call-back after they've clicked the link in their email.

var lock = new Auth0LockPasswordless(configuration.id, configuration.domain);

lock.on('authorization_error',
    function(authResult) {
        console.log("DEBUG::AUTHRESULT::", authResult);
});

lock.on('authenticated',
    function(authResult) {
        console.log("DEBUG::AUTHRESULT::", authResult);
});

Now I've set offline_access in the scope of the request, and on my local environment been prompted for additional permissions when authenticating (so it's making it through). However when I check the log from the lock.on('authenticated', function(authResult).. refreshToken is always null.

There's some conflicting documentation around the web, with both suggestions that lock will and wont return a refresh token. Is anyone able to confirm if this code should result in a valid refreshToken?

Lucas
  • 643
  • 1
  • 9
  • 21
  • Hello Lucas, it definitely appears that it is possible to get a refresh token even when using passwordless authentication. I did some searching and discovered that you may be having problems because of how your rules are setup. Can you confirm this? –  Oct 30 '18 at 11:36
  • @NathanielFredericks, I do have some custom rules. None of which make reference to the refresh token. What exactly is it about the rules that would cause this issue? – Lucas Oct 30 '18 at 19:23
  • What is your grant_type? It should be `refresh_token`. –  Oct 31 '18 at 14:21
  • 3
    As far as I'm aware you don't set `grant_type` on the passwordless lock settings. I added it as a test to the `auth.params.grant_type: 'refresh_token'`. however the auth0 response still has a null refreshToken. – Lucas Oct 31 '18 at 18:57
  • I am not sure... –  Nov 02 '18 at 11:37
  • 2
    If it's a client-side web app, I think you should not use offline_access or refresh tokens, and instead implement silent signin. Refresh tokens should never be sent to the browser. https://auth0.com/docs/tokens/refresh-token/current – user44 Mar 10 '19 at 22:42
  • It should be noted that Auth0 recently introduced Refresh Token Rotation https://auth0.com/docs/tokens/concepts/refresh-token-rotation, which is also supported by the Auth0 SPA SDK – Mathias Conradt May 07 '20 at 06:22

1 Answers1

1

As @user44 said above in the comments, you shouldn't use a refresh token in a SPA (Single Page Application), as it's not a secure client and way to store it securely. Instead, use the silent authentication approach to request new access tokens.

https://auth0.com/docs/api-auth/tutorials/silent-authentication

Depending on which SDK you're using, either auth0-spa-js or auth0.js:

(Disclaimer: I work at Auth0 as Sr. Solutions Engineer)

Update (07. May 2020):

It should be noted that Auth0 recently introduced Refresh Token Rotation https://auth0.com/docs/tokens/concepts/refresh-token-rotation, which is also supported by the Auth0 SPA SDK

Mathias Conradt
  • 28,420
  • 21
  • 138
  • 192