Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

GetTokenSilentlyVerboseResponse - do not omit refresh_token #1335

Open
5 tasks done
collin-thomas opened this issue Jan 27, 2025 · 1 comment
Open
5 tasks done

GetTokenSilentlyVerboseResponse - do not omit refresh_token #1335

collin-thomas opened this issue Jan 27, 2025 · 1 comment
Labels
feature request A feature has been asked for or suggested by the community

Comments

@collin-thomas
Copy link

collin-thomas commented Jan 27, 2025
edited
Loading

Checklist

Describe the problem you'd like to have solved

I need access to the access token, id token, and refresh token. However, the GetTokenSilentlyVerboseResponse of getAccessTokenSilently() omits refresh_token.

The developer already specifies detailedResponse: true as part of the arguments to getAccessTokenSilently(). So, I would argue that omitting the refresh_token is counterintuitive.

See

auth0-spa-js/src/global.ts

Lines 648 to 651 in f2e5668

export type GetTokenSilentlyVerboseResponse = Omit<
TokenEndpointResponse,
'refresh_token'
>;

Describe the ideal solution

#1 Modify the type GetTokenSilentlyVerboseResponse to not omit refresh_token.
Modify Type:

auth0-spa-js/src/global.ts

Lines 648 to 651 in f2e5668

export type GetTokenSilentlyVerboseResponse = Omit<
TokenEndpointResponse,
'refresh_token'
>;

#2 Destructure refresh_token from authResult and add it to the return object.
Change Code:

auth0-spa-js/src/Auth0Client.ts

Lines 718 to 726 in f2e5668

const { id_token, access_token, oauthTokenScope, expires_in } =
authResult;
return {
id_token,
access_token,
...(oauthTokenScope ? { scope: oauthTokenScope } : null),
expires_in
};

Alternatives and current workarounds

No response

Additional context

This issue #715 states that refresh_token is not returned for security reasons. What security reasons?

We cannot return all the information from the exchange. For example, we would not return the refresh token for security reasons. By default we already strip this off and hold it internally.

The only time I've seen someone else reference the refresh_token being omitted from the response is in this issue #1013
@collin-thomas collin-thomas added the feature request A feature has been asked for or suggested by the community label Jan 27, 2025
@collin-thomas collin-thomas mentioned this issue Jan 27, 2025
Open
6 tasks
@abmagil
Copy link

abmagil commented Feb 7, 2025

I also have a need for the refresh token. In my case, I would like to give the user a warning that their access is about to end but this isn't possible with invisible refresh tokens: I can parse the access token to know when it expires but that's irrelevant when there is a refresh token that would renew their access. I would like to also parse the refresh token to get the expiration but I cannot because it is hidden from me

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
feature request A feature has been asked for or suggested by the community
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@collin-thomas @abmagil