We’re using a Custom Social Connection to connect with an organization that has implemented an OpenID Connect Provider that conforms to a publicly defined specification.
In accordance with the specification, we need to receive Refresh Tokens for users of the OIDC Provider, so that we can later allow our customers to make bookings on their (the user’s) data. However, Refresh Tokens are not available to the “Fetch User Profile Script” in the Custom Social Connection.
The user just signs in to our dashboard to consent and sign some terms. It’s much later that we actually need to access the OIDC Provider’s API on their behalf. In order to do this we need Access Tokens. As this API access can happen much later than the user’s dashboard sign-in, we need Refresh Tokens in order to generate new Access Tokens. This is an ongoing consent, which could last months, years, etc. So a Refresh Token is definitely needed. The specification strongly advises using Refresh Tokens as, otherwise, the user would have to keep repeatedly signing in to our dashboard and generating Access Tokens for us.
I’ve seen a similar question asking about this here: custom social connections and refresh_token. For this, the answer suggested that they may not be needed for that use case. That may have been so but, in this case, it really is needed as the purpose of the consent is to allow ongoing access to an API.
Is there anything we can do with Auth0 in order to also get this Refresh Token when the user logs in/consents?
Edit: And we are including the
offline_access scope in the Custom Social Connection. We’ve tested the raw auth request outside of auth0 and we are able to get the refresh token. It’s only within auth0 that it doesn’t show.
We’d like to do this within Auth0 because we have other types of connections and it’s convenient for these to all be in the same place (Auth0).