Get Refresh Token from Custom Social Connection login


We’re using a Custom Social Connection to connect with an organization that has implemented an OpenID Connect Provider that conforms to a publicly defined specification.

In accordance with the specification, we need to receive Refresh Tokens for users of the OIDC Provider, so that we can later allow our customers to make bookings on their (the user’s) data. However, Refresh Tokens are not available to the “Fetch User Profile Script” in the Custom Social Connection.

The user just signs in to our dashboard to consent and sign some terms. It’s much later that we actually need to access the OIDC Provider’s API on their behalf. In order to do this we need Access Tokens. As this API access can happen much later than the user’s dashboard sign-in, we need Refresh Tokens in order to generate new Access Tokens. This is an ongoing consent, which could last months, years, etc. So a Refresh Token is definitely needed. The specification strongly advises using Refresh Tokens as, otherwise, the user would have to keep repeatedly signing in to our dashboard and generating Access Tokens for us.

I’ve seen a similar question asking about this here: custom social connections and refresh_token. For this, the answer suggested that they may not be needed for that use case. That may have been so but, in this case, it really is needed as the purpose of the consent is to allow ongoing access to an API.

Is there anything we can do with Auth0 in order to also get this Refresh Token when the user logs in/consents?

Edit: And we are including the offline_access scope in the Custom Social Connection. We’ve tested the raw auth request outside of auth0 and we are able to get the refresh token. It’s only within auth0 that it doesn’t show.

We’d like to do this within Auth0 because we have other types of connections and it’s convenient for these to all be in the same place (Auth0).


I also raised a support ticket and got an :star2: answer :star2:

It seems that Auth0 saves the Access Token and the Refresh Token at the moment the user logs in to your app (the Refresh Token will, of course, only be saved if you include the offline_access scope in your Custom Social Connection).

These can then be retrieved at any time using the Management API. This is documented here:

In short, you just need to make a Management API request to get user (!/Users/get_users_by_id) and the original identity provider’s Access Token and Refresh Token will be included in the identities array in the response.

1 Like

Thanks for sharing it with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.