Auth0 Home Blog Docs

Custom social connection missing refresh_token

custom-social-connec
refresh_token

#1

I’m using a custom social connection to connect to QuickBooks Online, but the extension is not passing on the refresh_token or expires_at attributes to the Fetch User Profile Script. I also need the realmId they send back in the URL query string during the callback phase.

Any ideas how I can get these parameters?


#2

The fetchUserProfile script is meant to obtain additional information about the user and is called as part of the exchange process so it’s highly unlikely that the access token would be expired by the time the script runs. Based on this, can you clarify what would the use case to have the refresh token available to such script.

In addition, I tested this with a custom OAuth2 connection, not targeting QuickBooks, that returned the following response from the token endpoint:

{
  access_token: "at-34tw...",
  token_type: "Bearer",
  refresh_token: "rt-yv3fs...",
  expires_at: 86400
}

I then confirmed that the fetchUserProfilescript could access the access_token value through the accessToken argument and the expires_at and token_type values through ctx.expires_at and ctx.token_type respectively. In conclusion, the refresh token is not made available to that script, but there should be no need for it within the script itself so it could be argued it’s for the best to not expose it. In relation to the realm identifier you mention, if it’s returned as part of the response to the token endpoint then it should also be exposed in ctx, but if it’s returned as an additional query parameter to the callback URL then I’m not sure if it can be accessed on the custom script.

In addition, the refresh_token if returned by the external identity provider will still be associated to the user profile and can be obtained through the process described at:

https://auth0.com/docs/tokens/idp#how-to-obtain-identity-provider-access-tokens


#3

You are correct, I don’t need the refresh token inside the fetchUserProfile script, and the link to obtain identity provider access tokens looks like exactly what I need! Thank you!

Any idea on the realmId parameter they send back with the callback GET request?


#4

You are correct, I don’t need the refresh token inside the fetchUserProfile script, and the link to obtain identity provider access tokens looks like exactly what I need! Thank you!

Any idea on the realmId parameter they send back with the callback GET request?


#5

Extra parameters (not part of the core OAuth2 spec) returned at the token endpoint are exposed through the ctx argument, however, extra parameters included directly in the query component of the HTTP redirect to the callback URL are just ignored and I’m not aware of any extensibility point from where you could obtain them.


#6