access_type offline implementation

alexcastrodev commented 4 months ago

Checklist

[X] The issue can be reproduced in the auth0-react sample app (or N/A).
[X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
[X] I have looked into the API documentation and have not found a suitable solution or answer.
[X] I have searched the issues and have not found a suitable solution or answer.
[X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
[X] I agree to the terms within the Auth0 Code of Conduct.

Description

Based on Issue: https://github.com/auth0/auth0-react/issues/457

This implementation have changed? i have tried to find in this repository, but no related reference for this.

Also here i comment all i did.

Reproduction

Clone sample
Add Provider with correct data

 <Auth0Provider
      // access_type='offline' - Cant find this, does it change?
      cacheLocation='localstorage'
      domain={AUTH0_ISSUER_BASE_BUILDER}
      clientId={clientId}
      authorizationParams={{
        redirect_uri: SITE_URL,
        audience: AUTH0_AUDIENCE,
        scope: AUTH0_SCOPE,
        // access_type: 'offline', it also does not work
      }}
    >
      { children}
    </Auth0Provider>

and i dont receive google refresh_token, only access_token ( inside identities->google

Additional context

auth0-js => 9.26.1

auth0-react version

2.2.4

React version

18.x

Which browsers have you tested in?

Chrome

frederikprijck commented 4 months ago

From the SDK perspective, this should work:

<Auth0Provider
      cacheLocation='localstorage'
      domain={AUTH0_ISSUER_BASE_BUILDER}
      clientId={clientId}
      authorizationParams={{
        redirect_uri: SITE_URL,
        audience: AUTH0_AUDIENCE,
        scope: AUTH0_SCOPE,
        access_type: 'offline',
      }}
    >
      { children}
    </Auth0Provider>

Can u verify it gets sent to auth0's /authorize endpoint in the network tab?

alexcastrodev commented 4 months ago

From the SDK perspective, this should work:

<Auth0Provider
      cacheLocation='localstorage'
      domain={AUTH0_ISSUER_BASE_BUILDER}
      clientId={clientId}
      authorizationParams={{
        redirect_uri: SITE_URL,
        audience: AUTH0_AUDIENCE,
        scope: AUTH0_SCOPE,
        access_type: 'offline',
      }}
    >
      { children}
    </Auth0Provider>

Can u verify it gets sent to auth0's /authorize endpoint in the network tab?

With auto0-react i think there's no call to /authorize, the request i have is: https://accounts.google.com/_/signin/oauth?authuser=1 that send:

access_type: offline
client_id: xxxx.apps.googleusercontent.com
login_hint: 
redirect_uri: https://auth.dev.xxx/login/callback
response_type: code
scope: email profile https://www.googleapis.com/auth/calendar
state: xxxx

but googleapis userinfo returns:

scope": "https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile openid",
  "exp": "1719504783",
  "expires_in": "3513",
  "email": "xxx",
  "email_verified": "true",
  "access_type": "online"

and when i request to Auth0 Identities, i only got access_token, not refresh_token

frederikprijck commented 4 months ago

There should always be a call to auth0's /authorize with this SDK, check the network tab and ensure to preserve logs through redirects. Also, what are you setting as the domain when u configure the SDK?

alexcastrodev commented 4 months ago

From the SDK perspective, this should work:
<Auth0Provider
      cacheLocation='localstorage'
      domain={AUTH0_ISSUER_BASE_BUILDER}
      clientId={clientId}
      authorizationParams={{
        redirect_uri: SITE_URL,
        audience: AUTH0_AUDIENCE,
        scope: AUTH0_SCOPE,
        access_type: 'offline',
      }}
    >
      { children}
    </Auth0Provider>
Can u verify it gets sent to auth0's /authorize endpoint in the network tab?

There should always be a call to auth0's /authorize with this SDK, what are you setting as the domain when u configure the SDK?

did you mean /authorize/resume?state=xx ?

frederikprijck commented 4 months ago

No. Our SDK does an explicit redirect to /authorize when u call login, see https://github.com/auth0/auth0-spa-js/blob/main/src/Auth0Client.ts#L250

Whatever happens after that, is a concern of the server and can depend on some factors. It could end up going to /authorize/resume, sure. But it should be proceeded with /authorize.

alexcastrodev commented 4 months ago

No. Our SDK does an explicit call to /authorize when u call login, see https://github.com/auth0/auth0-spa-js/blob/main/src/Auth0Client.ts#L250

Whatever happens after that, is a concern of the server and can depend on some factors. It could end up going to /authorize/resume, sure. But it should be proceeded with /authorize.

My bad, i was always checking after click on login, not before it.

the payload is:

client_id: xxxx
scope: openid profile email update:current_user_identities https://www.googleapis.com/auth/calendar
redirect_uri: xxx
audience: xx
access_type: offline
response_type: code
response_mode: query
state: xxx==
nonce: xxx==
code_challenge: xxx
code_challenge_method: xxx
auth0Client: xxxx==

frederikprijck commented 4 months ago

Ok, so access_type is sent correctly. Whatever the issue is, it should not be related to the SDK. It does not solve the problem, but at least it helps knowing where to look for the cause of the issue.

I do see you are not sending connection_scope, which https://github.com/auth0/auth0-react/issues/457 is using, do you need it?

alexcastrodev commented 4 months ago

Ok, so access_type is sent correctly. Whatever the issue is, it should not be related to the SDK. It does not solve the problem, but at least it helps knowing where to look for the cause of the issue.

I do see you are not sending connection_scope, which #457 is using, do you need it?

No, because i can update calendar events. I just need the refresh_token, to use it in my Backend.

alexcastrodev commented 4 months ago

at least it helps knowing where to look for the cause of the issue

Want me to do something else ? will this be check internally ? i can do some investigation on this package as well if needed.

frederikprijck commented 4 months ago

There is nothing we can do from the SDK side, it works as expected as we send the parameter to Auth0. If that does not work, I recommend to reach out to your support contact, they can get u in touch with the team that can help with this.

The only thing I can recommend is trying if it works if u add connection_scope to the request. Even if you say u do not need it, I'd recommend adding it to see if it changes anything as it helps understanding things.

Additionally, have u seen this? More specifically, this part?:

Afterwards, the refresh token is in the user profile’s identities, which you can get via Auth0 Management API from your backend.

Can you see the refresh token in the user profile's identities (you will need another SDK for that, this is not something you do using this SDK)?

alexcastrodev commented 4 months ago

There is nothing we can do from the SDK side, it works as expected as we send the parameter to Auth0. If that does not work, I recommend to reach out to your support contact, they can get u in touch with the team that can help with this.

The only thing I can recommend is trying if it works if u add connection_scope to the request. Even if you say u do not need it, I'd recommend adding it to see if it changes anything as it helps understanding things.

Yeah, i did it. same behaviour. I already open an issue on comunnity, but i see many people having same problem, but no response. I will try, reach someone from support. Thank you.

Should we close this ?

frederikprijck commented 4 months ago

Closing, but I encourage to also try the second part of my message above and see if they show up in your user profile's identities.

alexcastrodev commented 4 months ago

Reference in

Yes, i added connection_scope, nothing change.

<Auth0Provider
      cacheLocation='localstorage'
      domain={AUTH0_ISSUER_BASE_BUILDER}
      clientId={clientId}
      authorizationParams={{
        redirect_uri: SITE_URL,
        audience: AUTH0_AUDIENCE,
        scope: AUTH0_SCOPE,
        access_type: 'offline',
        connection_scope: 'https://www.googleapis.com/auth/calendar',
      }}
    >
      {children}
    </Auth0Provider>

alexcastrodev commented 4 months ago

Closing, but I encourage to also try the second part of my message above and see if they show up in your user profile's identities.

I solved with this one: https://stackoverflow.com/questions/8942340/get-refresh-token-google-api It was missing the prompt=consent

 <Auth0Provider
      cacheLocation='localstorage'
      domain={AUTH0_ISSUER_BASE_BUILDER}
      clientId={clientId}
      authorizationParams={{
        redirect_uri: SITE_URL,
        audience: AUTH0_AUDIENCE,
        scope: AUTH0_SCOPE,
        access_type: 'offline',
        prompt: 'consent',
      }}
    >
      {children}
    </Auth0Provider>

frederikprijck commented 4 months ago

I have no idea why that would be a requirement, but happy it works for u.

alexcastrodev commented 4 months ago

I have no idea why that would be a requirement, but happy it works for u.

just a question, does makes sense skip prompt consent first party, but continue sending this consent to Google ?

alexcastrodev commented 4 months ago

I have no idea why that would be a requirement, but happy it works for u.

I contacted Auth0 support regarding this issue, and they directed me to this link. It appears that using dynamic parameters to send information only for authorization, without passing it to Auth0, might work.

Can you please confirm if Auth0 core supports this? i tried passing on authorizationParams and it pass as [object object] on authorize

auth0 / auth0-react