[Auth0] Not receiving a refresh token and error relating to wrong grantType

[darthf1]

I'm using @nuxtjs/auth-next with the auth0 provider with the PKCE Grant flow. I'm having difficulties with setting up auth0 and getting a refreshToken.

My nuxt.config.ts:

  auth: {
    cookie: {
      options: {
        sameSite: 'strict',
        secure: true,
      },
    },
    localStorage: false,
    plugins: [{ src: '~/plugins/http', ssr: true }],
    redirect: {
      login: '/login/',
      logout: '/',
      callback: '/callback/',
      home: '/',
    },
    strategies: {
      auth0: {
        domain: 'xxx',
        clientId: 'xxx',
        audience: 'xxx',
        scope: ['openid', 'profile', 'email', 'offline_access'],
        responseType: 'token',
        grantType: 'authorization_code',
        codeChallengeMethod: 'S256',
      },
    },
  },

At first, I had the three grants enabled as displayed in the screenshot below.

The login was working properly and I was seeing some config related to the PCKE, however I was not receiving any refresh token (just the regulator token).

I do have offline access is enabled in the auth0 settings:

Then I figured I wouldn't need the implicit grant flow, so I disabled that one. Now I'm getting the following error from auth0:

It tells me that the implicit grant is not allowed; which is true because I just disabled it. But I wouldn't expect the grantType implicit to be used, because I set it to authorization_code. Does this mean somethings is wrong with configuring the grantType and could this be the reason I'm not getting a refresh token?

[JoaoPedroAS51]

Hi @darthf1! I'm pretty sure that responseType should be code.

[darthf1]

Hi @JoaoPedroAS51, thanks, you're absolutely correct. The unauthorized_client error disappears.

I managed to get it working, but there were still some hiccups:

• At first, I got redirected to the callback page and nothing was happening there. Fixed it by setting the token endpoint manually.
• Still stuck at the callback page, but now a POST request was made to the /oauth/token endpoint, but it returned a 401.
• Had to change my application type from Regular Web Application to Native in Auth0 settings. Not really sure yet why I had to change this one.

Q:

• Do you want me to provide a PR to set the token endpoint it in the auth0 provider? (to https://auth0-domain/oauth/token)
• Do you want me to provide a PR to add something to the docs regarding setting up PKCE with the auth0 provider?

[JoaoPedroAS51]

Do you want me to provide a PR to set the token endpoint it in the auth0 provider?

Do you want me to provide a PR to add something to the docs regarding setting up PKCE with the auth0 provider?

That would be great! Thanks! 😃

[timhanlon]

Had to change my application type from Regular Web Application to Native in Auth0 settings. Not really sure yet why I had to change this one.

@darthf1 thanks so much for this!

[darthf1]

Do you want me to provide a PR to set the token endpoint it in the auth0 provider?

Do you want me to provide a PR to add something to the docs regarding setting up PKCE with the auth0 provider?

That would be great! Thanks! 😃

Provided in #730 and #746

[codeofsumit]

@darthf1 I tried to follow your example but I'm not getting a refresh token either.

This is my config:

  auth: {
    plugins: [{ src: '~/plugins/preload', mode: 'client' }],
    rewriteRedirects: false,
    redirect: {
      home: '/portfolio',
      callback: '/logging-in/',
    },
    strategies: {
      local: false,
      auth0: {
        domain: process.env.VUE_APP_AUTHDOMAIN,
        clientId: process.env.VUE_APP_AUTHCLIENTID,
        audience: process.env.VUE_APP_AUTHAUDIENCE,
        scope: ['openid', 'profile', 'email', 'offline_access'],
        responseType: 'code',
        grantType: 'authorization_code',
        codeChallengeMethod: 'S256',
      },
    },
  },

Do you have an idea what I'm doing wrong?
Login/Logout works fine, but no refresh token in my cookies 🤔

I'd appreciate any help 👍

[darthf1]

Did you check your application type? Did you enable offline access in the auth0 API settings?

[codeofsumit]

Hey @darthf1

I have allowed offline access in the custom API Details whose identifier URL I pass in the "audience" parameter

Application Type is currently "Single Page Application". I tried with "Native Application" and "Regular Web Application" as well. What's the correct setting here?

[darthf1]

Had to change my application type from Regular Web Application to Native in Auth0 settings. Not really sure yet why I had to change this one.

@darthf1 thanks so much for this!

Its just above your first post. This is what worked for me, dont know if its the 'correct' one.

[codeofsumit]

@darthf1 yea that's what I tried. Looking at the client cookies though, still shows refresh tokens as false 🤔 .
What else could it be?

[jawa-the-hutt]

wanted to drop a comment in this thread.

tldr: Check that your Token Endpoint Authentication Method is set to None in the App Settings of the Auth0 GUI if you are getting the 401 Unauthorized on the code to access_token exchange.

I followed the new instructions that @darthf1 created in the PR's. This included setting the App Type to Native but I was still getting the same symptom of the 401 Unauthorized when the POST was being made back to the oauth/token endpoint for the access_token exchange. I was using the Default App that every Auth0 tenant provides automatically.

What I had to do was change the App Type back to Regular Web App and then change the Token Endpoint Authentication Method to None. At that point I could change the App Type back to Native or Single Page App and things worked either way.

When you create a brand new Auth0 app and if you set the App Type to Native or Single Page App during the creation, then Token Endpoint Authentication Method is already set to None. However, if you choose Regular Web App then it is set to Post. Since the Default App provided in the tenant starts as a Regular Web App, then this setting is wrong out of the gate.

[andrevferreiraa]

@darthf1 yea that's what I tried. Looking at the client cookies though, still shows refresh tokens as false 🤔 . What else could it be?

did you manage to solve your problem? facing the same issue right now