Auth0 Home Blog Docs

Access Token for Social Connections - when are they refreshed?



I’m running into an issue where in my Auth0 Rules, the social connection access token I obtain through user.identities[0].access_token expired.

This seems to happen sporadically for a typical login from frontend SPA, and consistently for /oauth/token endpoint when I’m using a stored Auth0 refresh token to fetch a valid Access Token.

Here’s the scenario,

Social connection User use to login: Salesforce

Clients: “CompanySPA”

API: “CompanyAPI”

Our backend (CompanyAPI) stores the Auth0 refresh token of certain users (“API Users”) which we use to run background tasks that doesn’t follow the typical http request-response cycle.

In one of our Auth0 Rules, we use the access token of our social connection (Salesforce) to fetch some information from SF and then populate the JWT with some custom claims. This works mostly fine for SPA implicit grant flow, but for refresh_token , this isn’t working.

By refresh token flow, I mean this:


  "grant_type": "refresh_token",
  "client_id": "(client id of CompanySPA)",
  "refresh_token": "(refresh token of the user)"

The webtask logs indicates that the rules are running, but Salesforce is rejecting the access token because it has expired. In our scenario the API User is not a real user, so it never logs in which means the access token won’t be refreshed.

To summarize, the problems:

  1. If a user hasn’t logged in for a while, the social connection’s access token available through user.identities[0].access_token is an expired one
  2. Sometimes when a user logs in through SPA, user.identities[0].access_token may be expired.

Can Auth0 ensure that when a rule is run, the social connection’s access token is valid?

EDIT: I’m following the instructions in but the access token i get is expired.


The social connection access tokens are obtained as a by-product of user authentication at the social provider itself. As a consequence only a full user authentication at the social provider will lead to a new access token and certain flows like it’s the case of using an Auth0 refresh token won’t cause user authentication at the social provider.

For certain social providers in addition to the access token there will also be available a refresh token which would allow you implement your own refresh process; however, this is not available for Salesforce.

See Identity Provider Access Tokens - Renewing the token section for reference information on this subject.