Authorization Code Flow (Refresh Token) in Auth0

Security business menu

Security business
HOME

To be elected
cause

Service

Handling Manufacturer

Examples/reports/
Blog/Glossary

Seminar/
video on demand

TOP

Products/Services

product
- Okta Workforce Identity Cloud
- Okta Customer Identity Cloud

Specifications/Technical Information

Specifications/Technical Information
- Workforce Identity Cloud Basic Setup Behavior Guide
- Customer Identity Cloud (Auth0) basic setup behavior guide

solution

solution
- Okta Solutions - Zero Trust with Okta

User stories

support

- Macnica Support

Seminar content

Document request

inquiry

Event/Seminar

video on demand

Okta

Octa

Introduction

Auth0 supports various authentication and authorization flows such as Authorization Code Flow, Authorization Code Flow with PKCE (Proof Key for Code Exchange) and Implicit Flow defined in OAuth2.0 (RFC6749). By using Auth0 and the SDK provided by Auth0, you can easily implement each flow.

On this page, we will use Authentication Code Flow (RFC6749 4.1) as an example to confirm the sequence of obtaining a refresh token when using Auth0 and re-obtaining an access token/ID token using the refresh token. For confirmation, we will introduce the necessary Auth0 settings and the specific procedures for reacquiring access tokens/ID tokens.

premise

The information on functions and settings described on this page is current as of January 2023.
For access token/ID token acquisition in Authorization Code Flow, please refer to Authorization Code Flow in Auth0 (Access Token/ID Token).

preset

The pre-settings required on the Auth0 side for confirmation of refresh token acquisition in the Authorization Code Flow are shown below.

In this procedure, "https://example.com" is specified as a resource server, but it does not actually provide resources.

Application settings

On the Auth0 admin screen, click Applications > Applications
Create a new Application

Select Single Page Application

Register resource server URLs as Allowed Callback URLs

After creation, check the issued Client ID and Client Secret values

After creation, check the issued Client ID and Client Secret values

API settings

On the Auth0 admin screen, click Applications > APIs
New API

Register resource server URL as Identifier

Enable Allow Offline Access for refresh token issuance

Enable Allow Offline Access for refresh token issuance

Confirmation procedure overview

Check the sequence of Authorization Code Flow and refresh token acquisition in Auth0. The overview of the confirmation procedure is as follows.

Request an authorization code from the Auth0 /authorize endpoint
Authentication screen display by Auth0: Perform user authentication
Transition to the redirect destination specified in 1.: Check the authorization code from the URL
Access Auth0 /oauth/token endpoint and get access token, ID token and refresh token
Check the acquired access token and ID token
Access the Auth0 /oauth/token endpoint using the refresh token obtained in 4. and reacquire the ID token and access token
Check the reacquired access token and ID token

Confirmation procedure

1. Request authorization code from Auth0 /authorize endpoint

Access the following URL with a web browser

https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/authorize?audience=https://example.com&response_type=code&scope=openid profile email offline_access&client_id=kqapeCKisQFv3ensODztuWSvX4dYzDzz&redirect_uri=https://example.com

supplement

<YOUR_AUTH0_TENANT_NAME>: Auth0 tenant name
<REGION_DOMAIN>: Auth0 tenant region name
audience=https://example.com: Identifier of the API setting in the pre-configuration
response_type=code&scope=openid: use Authorization Code Flow + get ID token
scope=offline_access: get refresh token
client_id: Client ID of Application settings in the preset
redirect_uri: Redirect destination URL after authentication is completed

2. Authentication screen display by Auth0: Perform user authentication

3. Transition to the redirect destination specified in 1.: Check the authorization code from the URL

https://example.com/?code=tpP_z1EYtGiHy4zOb_lysQKfX7n5jkfOjmpJL1NTN1mwA

4. Access Auth0 /oauth/token endpoint and get access token, ID token and refresh token

> curl -X POST --url 'https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/oauth/token' --header 'content-type: application/x-www-form-urlencoded' --data 'grant_type=authorization_code&client_id=kqapeCKisQFv3ensODztuWSvX4dYzDzz&client_secret=gp2_bmVL-1qgHiZvh5Cv2GwxkLBard8fZD8UBBUYM5AQ5wD-_pfcuSyokX133GSo&code=tpP_z1EYtGiHy4zOb_lysQKfX7n5jkfOjmpJL1NTN1mwA&redirect_uri=https://example.com'

supplement

grant_type=authorization_code: use Authorization Code Flow
client_id: Client ID of Application settings in the preset
client_secret: Client Secret of the Application setting in the pre-configuration
code: Authorization code obtained in 3.

Acquisition result

{
	"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp...(略)...qvVPSppORhoOjSQLj170Q",
	"refresh_token":"v1.MbSfbtTXtsjmFCtSpWdRLHgd...(略)...QRLQ-89EZS_oPicJy2zChr0",
	"id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCI...(略)...Bwf8epG61vPgTk5oQ9p7A",
	"scope":"openid profile email offline_access",
	"expires_in":86400,
	"token_type":"Bearer"
}

5. Confirm the acquired access token and ID token

Decode access token and ID token at jwt.io

Access token decoding result

{
	"iss": "<your_auth0_tenant_name>.<region_domain>.auth0.com/",
	"sub": "auth0|63914fc35f596748bf001439",
	"aud": [
	"https://example.com",
	"https://<your_auth0_tenant_name>.<region_domain>.auth0.com/userinfo"
	],
	"iat": 1672298378,
	"exp": 1672384778,
	"azp": "kqapeCKisQFv3ensODztuWSvX4dYzDzz",
	"scope": "openid profile email offline_access"
}

ID token decoding result

{
	"nickname": "xxxxxxxx",
	"name": "xxxxxxx@xxxxxxxx.co.jp",
	"picture": "https://s.gravatar.com/avatar/24b5f30a0fe65625e5afb...(略)...%2Fim.png",
	"updated_at": "2022-12-27T10:50:42.856Z",
	"email": "xxxxxxx@xxxxxxxx.co.jp",
	"email_verified": true,
	"iss": "https://<your_auth0_tenant_name>.<region_domain>.auth0.com/",
	"sub": "auth0|63914fc35f596748bf001439",
	"aud": "kqapeCKisQFv3ensODztuWSvX4dYzDzz",
	"iat": 1672298378,
	"exp": 1672334378,
	"sid": "SqBjbek-b0pWC5zmampoHm4M3Rnl_pVL"
}

6. Use the refresh token obtained in 4. to access the Auth0 /oauth/token endpoint and reacquire the ID token and access token

> curl -X POST --url 'https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/oauth/token' --header 'content-type: application/x-www-form-urlencoded' --data 'grant_type=refresh_token&client_id=kqapeCKisQFv3ensODztuWSvX4dYzDzz&client_secret=gp2_bmVL-1qgHiZvh5Cv2GwxkLBard8fZD8UBBUYM5AQ5wD-_pfcuSyokX133GSo&refresh_token=v1.MbSfbtTXtsjmFCtSpWdRLHgdH2vgIxTYtLbkOMJoOM70NJW-6iei8gzpSKrfEUJXQRLQ-89EZS_oPicJy2zChr0&redirect_uri=https://example.com'

supplement

grant_type=refresh_token: Token reacquisition by refresh token
client_id: Client ID of Application settings in the preset
client_secret: Client Secret of the Application setting in the pre-configuration
refresh_token: Refresh token obtained in 4.

Acquisition result

{
	"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp...(略)...LhQUVepobZLF3pNP3hsoZw",
	"refresh_token":"v1.MrSfbtTXtsjmFCtSpWdRLHhIl0...(略)...P8RAU1himNqVxlISqtjn3HQ",
	"id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCI...(略)...9BpmhD3KWFyVMgR0hGQ",
	"scope":"openid profile email offline_access",
	"expires_in":86400,
	"token_type":"Bearer"
}

supplement

By enabling the refresh token rotation function (default: enabled), a new refresh token will be returned when the access token is reacquired using the refresh token.
Refresh Token Rotation - Auth0 docs

7. Check the reacquired access token and ID token

Decode the access token and ID token on jwt.io and confirm that the issuance (iat claim) and expiration date (exp claim) are different from the confirmation result in 5.

Decode result of reacquired access token

{
  "iss": "https://<your_auth0_tenant_name>.<region_domain>.auth0.com/",
  "sub": "auth0|63914fc35f596748bf001439",
  "aud": [
    "https://example.com",
    "https://<your_auth0_tenant_name>.<region_domain>.auth0.com/userinfo"
  ],
  "iat": 1672298551,
  "exp": 1672384951,
  "azp": "kqapeCKisQFv3ensODztuWSvX4dYzDzz",
  "scope": "openid profile email offline_access"
}

Decode result of reacquired ID token

{
	"nickname": "xxxxxxxx",
	"name": "xxxxxxx@xxxxxxxx.co.jp",
	"picture": "https://s.gravatar.com/avatar/24b5f30a0fe65625e5afb...(略)...%2Fim.png",
	"updated_at": "2022-12-27T10:50:42.856Z",
	"email": "xxxxxxx@xxxxxxxx.co.jp",
	"email_verified": true,
	"iss": "https://<your_auth0_tenant_name>.<region_domain>.auth0.com/",
	"sub": "auth0|63914fc35f596748bf001439",
	"aud": "kqapeCKisQFv3ensODztuWSvX4dYzDzz",
	"iat": 1672298551,
	"exp": 1672334551
}

in conclusion

As a movement of Authorization Code Flow in Auth0, we introduced the reacquisition of access token/ID token by refresh token. We hope this will help you understand how Authentication Code Flow works and how Auth0 implements it.

reference

Click here for a list of Customer Identity Cloud (Auth0) basic setting operation guides

Inquiry/Document request

In charge of Macnica Okta Co., Ltd.

inquiry Document request

TEL：045-476-2010
E-mail：okta@macnica.co.jp

Mon-Fri 8:45-17:30