auth0.refreshToken() is gone

[saschwarz]

This code no longer TS compiles due to the change in the Auth0 API that removed the refreshToken method:

https://github.com/auth0-samples/auth0-ionic2-samples/blob/master/01-Login/src/services/auth/auth.service.ts#L158

Is there an example of using auth-0.js to background refresh a token like this sample did? I've looked through the other samples and haven't found it yet.

[saschwarz]

It looks like renewAuth is the new method: https://github.com/auth0/auth0.js#api

But it seems to need a callback URL which involves loading the Ionic SPA in an iframe and communicating back to the main frame:

It is strongly recommended to have a dedicated callback page for silent authentication in order to avoid loading your entire application again inside an iframe. This callback page should only parse the URL hash and post it to the parent document so that your application can take action depending on the outcome of the silent authentication attempt.

I'm not sure how best to proceed...

When the Ionic/Auth0 JS code runs on the mobile device it's host will be file:///: http://blog.ionic.io/handling-cors-issues-in-ionic/

So you'd need to have a webserver running that can serve the callback page used by renewAuth and then communicate back to the Ionic app(?).

With this new API I don't see how it can all be handled on the local device without loading the entire Ionic App again in the iframe. I'm still wrapping my head around this and would love any suggestions.

[brassier]

@saschwarz - I ran into the exact same concern. Ionic is primarily a hybrid mobile app tech, but can be used as pure web too. In my case we want the same code to be used for both. So for refresh tokens on devices we're just hitting the Auth0 delegation endpoint directly with the refresh token. Sounds like this might be the best option for now.

https://auth0.com/forum/t/ionic-2-quickstart-old-auth0-dependencies/5688

[saschwarz]

@brassier thanks a lot for the feedback! I went through the links in that discussion and it seems I can't use the auth0 v8 API directly. IIUC you're saying I should use Http to directly interact with the endpoint(?)

I found the API docs for it: https://auth0.com/docs/api/authentication?http#delegation

In this scenario do I only need to provide client_id, grant_type and refresh_token since I'm refreshing for the same client_id and not actually delegating?

This seems to imply so (and adds "api_type": "app") but I'm really unclear on where versioning of HTTP APIs happens at Auth0: https://auth0.com/docs/tokens/refresh-token#use-a-refresh-token

[brassier]

I'm no expert on this, but your take on it is similar to mine. Just use HTTP to hit this delegation endpoint. Likely not the most secure of options, but it may be the best option for now.

The inputs you mention are the same as what I'm requesting, except that I also request a scope. Scope may not be required though.

[dankellett]

I would love to see the Cordova SDK expanded to include the refresh token to avoid confusion. Switching back between the Cordova SDK, auth0.js, and the API is incredibly confusing and wastes a lot of investigation time when you don't realize that certain parts of the SDKs are missing and calls in auth-0.js aren't appropriate for mobile app scenarios - but the auth0.js SDK is included in the example!

[brassier]

We found that the suggested Ionic and Auth0 integration changed quite a bit since this issue was opened, likely due to the Auth0 OIDC conformant push. We are no longer doing refresh tokens on the web side, only on the native side (for security reasons). We are also doing PKCE for native via the Auth0 cordova sdk, and a SPA workflow for pure-web. We effectively have two different authentication approaches in the same app: 1 for web, 1 for native. Seems to work fine though, and likely more secure than the other approach. For documentation, the Cordova/PKCE approach is documented in the latest ionic quickstart. A web version can be found by looking at the Angular 2 quickstart.