Hi - I’ve successfully created a workflow using my own test authentication realm based on the Google “social” connection to authenticate a user, then using the Auth0 Management API, basically call back in after the user logs in to fetch the extended user profile, including Google access and refresh tokens. The refresh token is being stored in the app_metadata blob for the user via an Auth0 rule when it’s present, given that it’s only passed in when it’s first created. No problem at all there, working fine. However, when I move over to an application that’s not using Google Social - instead only using the Auth0 enterprise Google connection (i.e. Google Apps / Hosted), I’m not seeing a refresh token at all. Additionally, I noted that the enterprise Google connection doesn’t have permission checkboxes for various Google services like the regular Google Social connection does. So what is, exactly, the process for enabling various Google API scopes for an enterprise Google auth setup? I figure I could get around it by enabling Google Social connection and writing a rule that limits access to just the domain in question, but that seems pretty hacky to me… Am I missing something obvious? Thanks
EDIT: I also fiddled around with sending the connectionScopes parameter through with the Lock configuration, but it appears, according to the documentation, that it’s for social connections. No mention of non-social applicability…