question

Christine Hill avatar image
Christine Hill asked

Access_Token request is missing a Refresh_token

Hi, I'm working with the following documentation to get access tokens for LWA.
https://developer.amazon.com/docs/login-with-amazon/authorization-code-grant.html

After following this guide, I'm expecting to see a refresh_token in the response package. However, it doesn't appear to be there. This is the (redacted) response I'm getting from the API:

{
  "success":true,
  "access_token":"<redacted>",
  "token_type":"bearer",
  "expires_in":3600
}

Is there some sort of configuration somewhere that we missed which will allow us to receive a refresh_token?

I'm sorry if I selected the wrong "space" for this question. I didn't see an option that matched this specific question.

Thanks,
Christine

login with amazon
10 |5000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

Andy Whitworth avatar image
Andy Whitworth answered

Hi Christine,

Are you setting "response_type=code" in your initial request to obtain an authorization code ?

From here: https://developer.amazon.com/docs/login-with-amazon/authorization-code-grant.html#authorization-request

As the documentation specifies:

For apps that can use server-side scripting. This is the recommended integration. It is considered more secure since the token is never exposed to the user. Both refresh token and access token are returned. Refresh token can be used to obtain new access tokens without involving the user.

It would seem that you don't get a refresh_token if you don't specify response_type=code

1 comment
10 |5000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Christine Hill avatar image Christine Hill ·
Ok... from reviewing that part of the documentation, it seems like the reason we don't have a refresh_token is because we're using an Angular app, which is browser-based. I actually don't need the refresh token FOR the purposes of LWA in our app... our database admin needs it for access to other resources. I don't see any way, in the documentation, to retrieve that token with a browser-based app. Also, what qualifies as a server app? Like, would a .Net C# app running on Localhost work?
0 Likes 0 ·

Related Questions

Unable to register my account