for additional info, it seems that i was wrong in my assumption that google issues a refresh token every time i call the authorize endpoint. it only does when you first authorize with google (when you first got into the consent screen) or when you pass approval_prompt: 'force' parameter. it’s up to you how you want to store this refresh token but we prefer to use it on the auth0 side using a rule.
1 Like