OIDC-conformant Refresh Token use
This document is part of the adoption guide for OIDC-conformant authentication. If you haven't already, we strongly suggest reading the introduction before reading this document.
There are some changes to how Refresh Tokens are used in the OIDC-conformant authentication pipeline:
- Using the implicit grant for authentication will no longer return Refresh Tokens.
Use silent authentication (such as
- Refresh Tokens should only be used by confidential applications. However, they can also be used by Native (public) applications to obtain Refresh Tokens for mobile apps.
/delegationendpoint is deprecated. To obtain new tokens from a Refresh Token, the
/oauth/tokenendpoint should be used instead:
Please note that Refresh Tokens must be kept confidential in transit and storage, and they should be shared only among the authorization server and the client to whom the Refresh Tokens were issued.
- Calling your APIs with Auth0 tokens
- User consent and third-party applications
- Custom user profile claims and
- Single Sign-on (SSO)
- Initiating authentication flows:
- Refresh Tokens
- Passwordless authentication
- List of breaking changes for OIDC-conformant applications