Auth0 - get id_token from refresh_token

Question

In our 7+ microservices we rely on the Auth0 id_token. When exchanging a refresh_token (POST myapp.auth0.com/oauth/token) I only get back an access_token and not a id_token.

How do I exchange a refresh_token for an id_token with Auth0's API?

Answer 1

It appears the refresh token grant is for Auth0's new API Authorization feature. The endpoint I was looking for was /delegation.

Example Node.js code:

const tokenClient = axios.create({
  baseURL: `https://${env.AUTH0_DOMAIN}`,
  headers: {
    'content-type': 'application/json'
  }
})

const refreshTokenClient = {
  getAccessToken: (refreshToken) => {
    // The official Node.js SDK for Auth0 does not
    // support this it would seem (it forces passing id_token)
    return tokenClient.post('/delegation', {
      client_id: env.AUTH0_CLIENT_ID,
      target: env.AUTH0_CLIENT_ID,
      grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
      refresh_token: refreshToken,
      scope: 'openid',
      api_type: 'auth0'
    }).then(r => r.data)
  }
}

Answer 2

Technically the refresh_token grant type is part of OAuth 2.0 and the id_token is part of OpenID Connect, an identity protocol built on top of OAuth 2.0.

The refresh_token grant type of OAuth 2.0 allows for renewing access tokens (only). OpenID Connect doesn't define additional behavior beyond that for a good reason: the id_token is defined as the result of a user authentication event and a "authentication refresh" without user interaction can thus not result in a new id_token. The user may have left, logged out or his/her account removed in the mean time.

Refreshing an id_token should be done by sending the user to the OpenID Connect Provider again, not by using a refresh token autonomously.