I'm trying to get a new access token using the refresh token using Auth0 on provider Bitbucket. According to Bitbucket documentation, the refresh token along client client_id and secret is used to get a new access token.
curl -X POST -u "client_id:secret"
https://bitbucket.org/site/oauth2/access_token \
-d grant_type=refresh_token -d refresh_token={refresh_token}
But it seems that I'm supposed to use Auth0 as a proxy for this. It says in Auth0 documenttation to use the refresh token (user specific) along with my Auth0 domain and Auth0 client id. It seems a bit strange to mix my Auth0 credentials with a refresh token for a Bitbucket user.
This is my flow:
(1) set AUTH0 client info
- set auth0 client id
- set auth0 client secret
- set auth0 domain
- retrieve auth0 client token
(2) get initial user info
get user info at endpoint:
https://<auth0_domain>.auth0.com/api/v2/users/<user_id>
- this will contain an access token for the user
- this will also contain a refresh token for the "user" not the AUTH0 client (I assume?)
(3) try to get access token from refresh token
use the refresh token to get an access token here:
https://<auth0_domain>.auth0.com/oauth/token
notably, the refresh token is for the user, but the client info is from the AUTH0 client - doesn't make sense to me. this fails with this error.
{u'error_description': u'Unauthorized', u'error': u'access_denied'}
It fails on this essentially:
payload = { "client_id": self.auth0_client_id,
"client_secret": self.auth0_client_secret,
"refresh_token": kwargs["refresh_token"].decode("utf-8"),
"grant_type": "refresh_token" }
_endpt = 'https://{}.auth0.com/oauth/token'.format(self.auth0_domain)
headers = {'content-type': 'application/json'}
req = requests.post(_endpt,
data=json.dumps(payload),
headers=headers)
Below is the entire code from my class in python.
#!/usr/bin/env python
import json
import os
import requests
import logging
class Auth0Client(object):
def __init__(self,**kwargs):
self.classname = "Auth0Client"
self.logger.logging.basicConfig(level=logging.INFO)
# (1) set AUTH0 client info
self.auth0_client_id = os.environ["AUTH0_CLIENT_ID"]
self.auth0_client_secret = os.environ["AUTH0_CLIENT_SECRET"]
self.auth0_domain = os.environ["AUTH0_DOMAIN"]
self._set_auth0_client_token()
def _set_auth0_client_token(self):
payload = { "client_id": self.auth0_client_id,
"client_secret": self.auth0_client_secret,
"audience": "https://{}.auth0.com/api/v2/".format(self.auth0_domain),
"grant_type": "client_credentials" }
api_endpoint = 'https://{}.auth0.com/oauth/token'.format(self.auth0_domain)
req = requests.post(api_endpoint,
data=json.dumps(payload),
headers={'content-type': 'application/json'})
self.auth0_client_token = req.json()["access_token"].decode("utf-8")
def _get_userinfo_frm_auth0(self,user):
endpoint = "https://{}.auth0.com/api/v2/users/{}".format(self.auth0_domain,user)
headers = {'Authorization': 'Bearer %s' % self.auth0_client_token}
req = requests.get(endpoint,headers=headers)
return req.json()
def _get_user_access_token_with_refresh(self,**kwargs):
payload = { "client_id": self.auth0_client_id,
"client_secret": self.auth0_client_secret,
"refresh_token": kwargs["refresh_token"].decode("utf-8"),
"grant_type": "refresh_token" }
_endpt = 'https://{}.auth0.com/oauth/token'.format(self.auth0_domain)
headers = {'content-type': 'application/json'}
req = requests.post(_endpt,
data=json.dumps(payload),
headers=headers)
return req.json()["access_token"].decode("utf-8")
def get_user_access_token(self,user):
# (2) get initial user info
user_info = self._get_userinfo_frm_auth0(user)
if str(user_info["identities"][0]["provider"]) == "bitbucket":
# (3) try to get access token from refresh token
user_token = self._get_user_access_token_with_refresh(user=user,**user_info["identities"][0])
else:
user_token = user_info["identities"][0]["access_token"].decode("utf-8")
return user_token
