Search code examples
javascriptauth0auth0-lock

How do I get a refresh token from auth0 passwordless using lock v11?

I have an old-school angularJs app that has two pages. On both of the pages I include the auth0 lock script.

<script src="https://cdn.auth0.com/js/lock/11.9.0/lock.min.js"></script>

Of those two pages, one has the following js that specifies an auth0 lock to allow users to login:

new Auth0LockPasswordless(configuration.id,configuration.domain,
{
    allowedConnections: ['email'],
    passwordlessMethod: "link",
    auth: {
        redirectUrl: configuration.redirectUrl,
        responseType: 'token id_token',
        params: {
            scope: 'openid profile email offline_access'
        }
    }
}).show();

and the other page is responsible for the call-back after they've clicked the link in their email.

var lock = new Auth0LockPasswordless(configuration.id, configuration.domain);

lock.on('authorization_error',
    function(authResult) {
        console.log("DEBUG::AUTHRESULT::", authResult);
});

lock.on('authenticated',
    function(authResult) {
        console.log("DEBUG::AUTHRESULT::", authResult);
});

Now I've set offline_access in the scope of the request, and on my local environment been prompted for additional permissions when authenticating (so it's making it through). However when I check the log from the lock.on('authenticated', function(authResult).. refreshToken is always null.

There's some conflicting documentation around the web, with both suggestions that lock will and wont return a refresh token. Is anyone able to confirm if this code should result in a valid refreshToken?

Solution

  • As @user44 said above in the comments, you shouldn't use a refresh token in a SPA (Single Page Application), as it's not a secure client and way to store it securely. Instead, use the silent authentication approach to request new access tokens.

    https://auth0.com/docs/api-auth/tutorials/silent-authentication

    Depending on which SDK you're using, either auth0-spa-js or auth0.js:

    (Disclaimer: I work at Auth0 as Sr. Solutions Engineer)

    Update (07. May 2020):

    It should be noted that Auth0 recently introduced Refresh Token Rotation https://auth0.com/docs/tokens/concepts/refresh-token-rotation, which is also supported by the Auth0 SPA SDK