luisrudge
commented
4 years ago @mcantrell For now, we don't use refresh tokens at all. We're implementing RT rotation for SPA usage in the near future. Once that's ready in our server, we'll modify this SDK to use RTs instead of doing what we do today (load an iframe with prompt=none). In any case, due to the sensitivity of the information, it's unlikely we'll be exposing refresh tokens, but I can't say for sure. We'll need feedback from the community when the time comes.
All in all, your 'client library' can just consume this SDK and expose the information in various ways. I wouldn't go as far as downloading a file with RTs or ATs, though. They do have an expiration date, but having them lying around on file systems seems like an issue to me.
You can 'watch' this repo to know when RT rotation lands in this SDK. When that happens, there will be some discussion about exposing the RT or not and I'll make sure to include scenarios like yours.
Let me know if you have more questions.
I was reading through the following issue and I believe I have a case for exposing refresh tokens:
https://github.com/auth0/auth0-spa-js/issues/204
In addition to our normal website, we also want to provide client libraries, etc. I'd love to offer them an option to download a config file (containing the refresh token and current access token, etc.) to use with the library.
This does not seem possible with the library at the moment. Is this something you guys would e interested in exposing? I know it's important for the users to keep the file a secret but are there security risks I'm not considering in this approach?