Google refresh token for hosted apps connection

Hi - I’ve successfully created a workflow using my own test authentication realm based on the Google “social” connection to authenticate a user, then using the Auth0 Management API, basically call back in after the user logs in to fetch the extended user profile, including Google access and refresh tokens. The refresh token is being stored in the app_metadata blob for the user via an Auth0 rule when it’s present, given that it’s only passed in when it’s first created. No problem at all there, working fine. However, when I move over to an application that’s not using Google Social - instead only using the Auth0 enterprise Google connection (i.e. Google Apps / Hosted), I’m not seeing a refresh token at all. Additionally, I noted that the enterprise Google connection doesn’t have permission checkboxes for various Google services like the regular Google Social connection does. So what is, exactly, the process for enabling various Google API scopes for an enterprise Google auth setup? I figure I could get around it by enabling Google Social connection and writing a rule that limits access to just the domain in question, but that seems pretty hacky to me… Am I missing something obvious? Thanks

EDIT: I also fiddled around with sending the connectionScopes parameter through with the Lock configuration, but it appears, according to the documentation, that it’s for social connections. No mention of non-social applicability…

The Google Apps enterprise connection does not support scope configuration at this time. The `connectionScopes` option you mention, like you said it yourself, is applicable for custom OAuth2 and social connections. The Google Apps connection will be mostly useful for authentication purposes only (not so much for authorization as a way to gain access to Google services) because when used with multiple Google Apps domains this type of connection supports home realm discovery automatically in Lock.

If you need custom authorization and the ability to obtain a refresh token later on you may need to use the Google social connection instead. You will loose home realm discovery in Lock, but you can still impose restrictions on which end-users (from which domains) can access the system by implementing a custom rule that blocks access to end-users coming from a Google social connection and from a domain that you do not recognize/support.