No refresh token using /api/login

tarun.verghis

I have an application where I log the user in (using a login ID and password) by sending the credentials to api/login (per these docs). I've made sure that I'm specifying an applicationId in the request body, and I've double checked that in the admin dashboard, Applications > My Application > Generate Refresh Tokens is turned on. However, the response body still does not contain a refresh token, and the access token returned is only valid for a short time - I do not want the user to have to authenticate so often.

Here is a sample request I've tried from the command line, using HTTPie:

http POST :9011/api/login loginId=$USER password=$PWORD applicationId=$APPID Authorization:$APIKEY

I get the same result using the Java FusionAuth client, which is actually my primary use case:

LoginRequest loginRequest =
        new LoginRequest(
            fusionAuthClientId, loginCredentials.getLoginId(), loginCredentials.getPassword());

    ClientResponse<LoginResponse, Errors> loginResponse = fusionAuthClient.login(loginRequest);

Versions:

• FusionAuth: 1.18.7
• fusionauth-java-client: 1.18.0

Not sure what I'm missing! Thank you!

dan

Hmmm.

Here's my curl command which does return a refresh token:

curl -vvvv -XPOST -H 'Content-type: application/json' -H "Authorization: $API_KEY" 'http://localhost:9011/api/login' -d '{"loginId": "dan@example2.com", "password": "password", "applicationId" : "85a03867-dccf-4882-adde-1a79aeec50df" }

Here's the response I get:

{
	"refreshToken": "sJAPl9_qiLIuG1B...",
	"token": "eyJ...",
	"user": {
		"active": true,
		"connectorId": "e3306678-a53a-4964-9040-1c96f36dda72",
		"email": "dan@example2.com",
		"firstName": "Dan",
		"id": "4878bba6-f7f2-448c-b1b6-33cc2584b0b6",
		"insertInstant": 1598894341649,
		"lastLoginInstant": 1598996665034,
		"lastUpdateInstant": 1598894341649,
		"mobilePhone": "3035551212",
		"passwordChangeRequired": false,
		"passwordLastUpdateInstant": 1598894341671,
		"registrations": [{
			"applicationId": "85a03867-dccf-4882-adde-1a79aeec50df",
			"id": "81874db1-d26d-4ab2-895f-688049d710ac",
			"insertInstant": 1598894341778,
			"lastLoginInstant": 1598996665034,
			"lastUpdateInstant": 1598905646631,
			"usernameStatus": "ACTIVE",
			"verified": true
		}],
		"tenantId": "30663132-6464-6665-3032-326466613934",
		"twoFactorDelivery": "None",
		"twoFactorEnabled": false,
		"usernameStatus": "ACTIVE",
		"verified": true
	}
}

I'm unfamiliar with HTTPie, but are you sending JSON? (The client library should do that automatically, however.)

I have JWT enabled on my application. My app security tab requires a API key for the login API and has 'generate refresh tokens' checked. These seem like the same settings you have. Am I missing something?

Is the user registered to the application?

tarun.verghis

Oh my gosh I figured it out... For the /api/login endpoint to generate refresh tokens, you need to enable Application > My application > Security tab > Generate refresh tokens under the Login API settings. D'oh!

The previous Generate refresh tokens setting I had enabled was under the OAuth tab. Oops!

Thanks for taking a look Dan!

tarun.verghis

Follow-up: I think it would be helpful to update the docs for /api/login to indicate this

dan

Glad you figured it out!

I just filed a PR to tweak the docs to make it more clear: https://github.com/FusionAuth/fusionauth-site/pull/194