fetchUserProfile script is meant to obtain additional information about the user and is called as part of the exchange process so it’s highly unlikely that the access token would be expired by the time the script runs. Based on this, can you clarify what would the use case to have the refresh token available to such script.
In addition, I tested this with a custom OAuth2 connection, not targeting QuickBooks, that returned the following response from the token endpoint:
I then confirmed that the
fetchUserProfilescript could access the
access_token value through the
accessToken argument and the
token_type values through
ctx.token_type respectively. In conclusion, the refresh token is not made available to that script, but there should be no need for it within the script itself so it could be argued it’s for the best to not expose it. In relation to the realm identifier you mention, if it’s returned as part of the response to the token endpoint then it should also be exposed in
ctx, but if it’s returned as an additional query parameter to the callback URL then I’m not sure if it can be accessed on the custom script.
In addition, the
refresh_token if returned by the external identity provider will still be associated to the user profile and can be obtained through the process described at: