Auth0 and refresh tokens


We recently moved the user db for our backend API to Auth0, and thus updated our retooling to consume our API with the new Auth0 OAuth2 infrastructure.

The problem that we are seeing is that it would seem that access tokens, after they expire, are not being refreshed, even though we are setting the offline_access scope at authorization time. Our access tokens are rather short lived (~1 hour) so it gets rather frustrating to have to authorize the API so often.

At first I thought that the rotating refresh tokens from Auth0 could be troublesome, but even after switching to non-rotating refresh tokens, we still see that our users need to reuthorize the API multiple times a day.

Does Retool consume and use refresh tokens? I’ve found similar questions to this one in the forum (at least one) and apparently there was once a bug that would manifest this way, but it should have been fixed. Is it possible that it is happening again?


Hi Juan :slightly_smiling_face:

I just wanted to (belatedly) jump in here to let you know we've pushed a fix for this and implemented handling of oauth2 per-user rotating refresh tokens :confetti_ball:

Let us know if you're still blocked here, and thank you for sharing this with us back in August, and for your patience while we figured this one out!

1 Like