Auth0 Fails to Store Refresh Tokens for Linked Accounts

Let’s remove the account linking from the equation for a moment. We have two flows:

1. User logs in with Google and checks all the required permissions. We retrieve the Google refresh token via the GET /v2/users/{id} endpoint immediately following the initial login.
2. User logs in with Google and does not check the required permissions. Then, when the user is in the dashboard, we inform them that they need to check the required permissions in order to use all the features of the dashboard.
   • That’s the moment we use prompt=consent,access_type=offline, also, informing the connection=google-oauth2 parameter. This forces the consent flow to be performed again. We receive the refresh token in this case.

Now, what I mentioned above is 100% true, and it works as expected only when a single Google account is used. However, when we link the Google account as a secondary account, the refresh token is not stored in the Auth0 side.

One workaround for this use case is to have Google Social Connection as the primary account. It does not make sense, though. What if I add Facebook support? Apple?

I’m building a SaaS product and planned to subscribe to the Essentials plan. Auth0 says it supports account linking, but the product is incomplete: it says one thing, and does another. The product is impracticable, it does not work, and Auth0 does not have a plan to fix it.

Token Vault with Connected Accounts is an alternative. However, how do I trust this new product if account linking is not working? I feel frustrated.

Hi @tinuvi.solutions

I completely understand that the account linking flow can be quite frustrating in that situation. When linking two accounts, the mentioned endpoint is designed to return the credentials of the primary user, the reason why the refresh token of the Google account is not present in the Auth0 identity it is because it is stored in the profile array of the secondary (Google) identity, which is not being exposed as a top-level property in the user object itself.

As you have stated, this can make the product appear incomplete when this scenario cannot be handled "both ways" (Auth0 or Google as primary identity) since it is the architectural approach of this certain feature. For certain use cases, this design can be infuriating.

Basically, this is what the Token Vault with Connected Accounts feature aims to accomplish. After configuring the Token Vault on your tenant and any other dependencies that it requires, it will securely store federated token (the Google access/refresh tokens in your scenario), no longer being tied to the identities of the user, which you are able to return whenever necessary.

Since this is an API based approach for Token Exchanges, it can be considered reliable due to its single grant type. Although it does not currently cover all possible federated connections, you should be able to create custom social/enterprise connections which can make use of the Token Vault.

I understand that it is hard to rely on the Token Vault since it is quite a new feature which reached GA(General Availability) recently, however, it is a much modern approach which should help you solve the issue that you are facing because of the old/deprecated account linking feature that Auth0 offers.

Of course, if you ever run into issues when using the Token Vault, if you decide to move forward with the Essentials plan, you can always open a support ticket to receive any necessary help on the matter.

If you may need some additional information about the Token Vault and if it really suits your use case, I would recommend to get in touch with us to have a more in-depth discussion.

If I can help with anything else, let me know!

Kind Regards,
Nik

Account linking product has a bug. It’s a serious bug. The product does not appear incomplete. It is incomplete. If that’s the case, account linking has to be removed from the pricing page.

It is understandable your solution regarding Token Vault with Connected Accounts. It’s fine and I think it’s the correct approach of solving the issue about token exchange flow and all of its security issues. Though, that does not justify Auth0 selling point. What I’m asking is not a “feature request” or something. It’s a bug fix that has to be done.