刷新访问令牌时 Auth0 省略范围

Question

I'm using auth0-react to manage authentication in my SPA, and it's been working fine for many months. However, recently it stopped supporting the use of refresh tokens.

I believe my app is using a fairly standard structure, as defined in the documentation for v1.12.1 . All is fine when I originally log in: the /authorize endpoint returns what's expected and triggers an immediate call to /token with grant_type=authorization_code in the payload. This succeeds: HTTP 200 and a response that includes refresh_token and scope , among other fields.

However, when I make an API call after the access token has expired, a call to /token is triggered which receives an HTTP 400 with body: {"error":"invalid_scope","error_description":"User is not authorized to the audience for those scopes"} . A bit of experimentation shows that the /token request has only the following four fields in its payload: client_id , redirect_uri , refresh_token and grant_type=refresh_token . When I make a manual call with the same details but I add scope , the request succeeds.

As such, I believe my question is: is there a way to enforce the getAccessTokenSilently function to include the scope parameter in a /token request with grant_type=refresh_token ? Alternatively, can anyone guess what may have changed for this issue to appear unexpectedly a couple of weeks ago? (I believe I made no code changes that could be relevant: in fact, I made almost no changes to my Javascript in this time, and the problem persists on reverting to old code.)

I'm not an expert on authentication flows, so if my question is unclear or you can think of any further things to check, please let me know.

Answer 1

+1, same exact issue

I believe this is related

https://community.auth0.com/t/auth0-scope-not-returning-all-requested-values/83676