Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refresh Token Grant Access Token is Missing Payload #983

Open
5 tasks done
davidwarshaw opened this issue Jan 26, 2024 · 2 comments
Open
5 tasks done

Refresh Token Grant Access Token is Missing Payload #983

davidwarshaw opened this issue Jan 26, 2024 · 2 comments
Labels
bug This points to a verified bug in the code

Comments

@davidwarshaw
Copy link

davidwarshaw commented Jan 26, 2024

Checklist

  • I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
  • I have looked into the API documentation and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Description

I’m using the latest version of auth0-node (4.2.0) to do a refresh grant exactly as shown in the example:

import { AuthenticationClient } from 'auth0';

const auth = new AuthenticationClient({
  domain: '{YOUR_TENANT_AND REGION}.auth0.com',
  clientId: '{YOUR_CLIENT_ID}',
  clientSecret: '{YOUR_CLIENT_SECRET}',
});

// Get a new access token
const {
  data: { access_token },
} = await auth.oauth.refreshTokenGrant({
  refresh_token: refreshToken,
});

I’ve populated domain with the tenant and region subdomain as shown in the example. The access token returned is missing the payload:

"access_token": "[...]29tLyJ9..JdBYlv[...]", // <- token is missing payload:

I posted this issue to the Auth0 community board: https://community.auth0.com/t/auth0-node-refresh-grant-missing-payload/125305

Reproduction

  1. Create the client as in the example:
const auth = new AuthenticationClient({
  domain: '{YOUR_TENANT_AND REGION}.auth0.com',
  clientId: '{YOUR_CLIENT_ID}',
  clientSecret: '{YOUR_CLIENT_SECRET}',
});
  1. Make a refresh token grant using the client method:
// Get a new access token
const data = await auth.oauth.refreshTokenGrant({ refresh_token: refreshToken });
  1. The access token is missing the payload:
[...]
    "access_token": "[...]29tLyJ9..JdBYlv[...]", // <- token is missing payload:
[...]

Additional context

The node grant request looks like this:

{
  path: '/oauth/token',
  method: 'POST',
  headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
  body: URLSearchParams {
    'client_id' => MY_CLIENT_ID,
    'refresh_token' => MY_REFRESH_TOKEN,
    'client_secret' => MY_CLIENT_SECRET,
    'grant_type' => 'refresh_token' }
}

By default, the request is not sent with the audience, which could result in the access token payload being missing. I tried passing the audience in the grant payload:

const data = await auth0.oauth.refreshTokenGrant({
      audience: MY_AUDIENCE,
      refresh_token,
    });

which resulted in the audience being sent in the request:

{
  path: '/oauth/token',
  method: 'POST',
  headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
  body: URLSearchParams {
    'client_id' => MY_CLIENT_ID,
    'audience' => MY_AUDIENCE,
    'refresh_token' => MY_REFRESH_TOKEN,
    'client_secret' => MY_CLIENT_SECRET,
    'grant_type' => 'refresh_token' }
}

however, the access token was still missing the payload.

The equivalent curl command also returned an access token with missing payload.

❯ curl --request POST   --url https://MY_DOMAIN/oauth/token   --header 'content-type: application/json'   --data '{"client_id":"MY_CLIENT_ID","client_secret":"MY_CLIENT_SECRET","audience":"MY_AUDIENCE","grant_type":"refresh_token", "refresh_token": "MY_REFRESH_TOKEN"}'

Password and client credentials grants work without issue.

node-auth0 version

4.2.0

Node.js version

18.16.0

@davidwarshaw davidwarshaw added the bug This points to a verified bug in the code label Jan 26, 2024
@davidwarshaw
Copy link
Author

Re the community forum post here: https://community.auth0.com/t/auth0-node-refresh-grant-missing-payload/125305

This is expected behavior. In order for a refresh token grant to return a JWT access token, instead of an opaque token (token without a payload), the original offline_access token grant must have included an audience. This is not clear in the documentation. I opened PR: #984 to clarify.

@frederikprijck
Copy link
Member

Thanks for the PR. I left a comment on the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This points to a verified bug in the code
Projects
None yet
Development

No branches or pull requests

2 participants