1

In a react native app, how do you obtain a refresh token. I see in the docs that you can call the refresh token endpoint directly via the delegation endpoint in the REST API - but is there a more abstracted way to do it using the Auth0 lock component? Perhaps some sort of setting that is "remember login" and does all the plumbing for you?

If not, then to implement it ourselves would we call the refresh token service on every app start? And if so, do we make REST call directly or should we do it through an auth0 library of some sort?

Is there sample code that uses the library that shows needed steps like

  • check that the existing token has not expired

  • obtain a refresh token

  • redeem refresh token for access token

Or, have these steps been abstracted away by the library in some way?

MonkeyBonkey
  • 46,433
  • 78
  • 254
  • 460

1 Answers1

3

The id_token that you receive as the outcome of user authentication follows the OpenID Connect specification so it will include an exp claim that you can check in order to detect expiration.

exp: Expiration time on or after which the ID Token MUST NOT be accepted for processing. The processing of this parameter requires that the current date/time MUST be before the expiration date/time listed in the value. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.

(emphasis is mine; source: OpenID Connect)

If the offline_access scope is included when performing the authentication process you should get a refresh token issued alongside the ID token.

According to react-native-lock documentation you can then use the authenticationAPI() method to get an Authentication API client that can be used to refresh user's token.

The specific call can be seen in the react-native-auth0 documentation:

.authentication('{YOUR_CLIENT_ID}')
.refreshToken('user refresh_token')
.then(response => console.log(response))
.catch(error => console.log(error));
João Angelo
  • 56,552
  • 12
  • 145
  • 147
  • is the exp property of the token obtainable by the client - since the client can't fully decrypt the token? – MonkeyBonkey Nov 16 '16 at 12:00
  • The client application should validate the ID token according to the rules specified in section 3.1.3.7. of OpenID Connect. This would include decryption if the token used encryption, but as far as I know the Auth0 issued token is only signed and base64url encoded. Step 9 of the validation process is about validation the `exp` claim. – João Angelo Nov 16 '16 at 12:44
  • ok, then I should be able to extract the exp date from the jwt token using a standard jsonwebtoken library on the client side then – MonkeyBonkey Nov 16 '16 at 13:29
  • https://github.com/auth0/jwt-decode Seems like a good jwt decode library – MonkeyBonkey Nov 16 '16 at 20:01