In our 7+ microservices we rely on the Auth0 id_token. When exchanging a refresh_token (POST myapp.auth0.com/oauth/token) I only get back an access_token and not a id_token.
How do I exchange a refresh_token for an id_token with Auth0's API?
Technically the refresh_token grant type is part of OAuth 2.0 and the id_token is part of OpenID Connect, an identity protocol built on top of OAuth 2.0.
The refresh_token grant type of OAuth 2.0 allows for renewing access tokens (only). OpenID Connect doesn't define additional behavior beyond that for a good reason: the id_token is defined as the result of a user authentication event and a "authentication refresh" without user interaction can thus not result in a new id_token. The user may have left, logged out or his/her account removed in the mean time.
Refreshing an id_token should be done by sending the user to the OpenID Connect Provider again, not by using a refresh token autonomously.
It appears the refresh token grant is for Auth0's new API Authorization feature. The endpoint I was looking for was /delegation.
Example Node.js code:
const tokenClient = axios.create({
baseURL: `https://${env.AUTH0_DOMAIN}`,
headers: {
'content-type': 'application/json'
}
})
const refreshTokenClient = {
getAccessToken: (refreshToken) => {
// The official Node.js SDK for Auth0 does not
// support this it would seem (it forces passing id_token)
return tokenClient.post('/delegation', {
client_id: env.AUTH0_CLIENT_ID,
target: env.AUTH0_CLIENT_ID,
grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
refresh_token: refreshToken,
scope: 'openid',
api_type: 'auth0'
}).then(r => r.data)
}
}