Google refresh token not persisted

Hi,

for an application where we need to be able to Google Drive api for users I’ve setup a login flow that will request the required scope and set the access type as offline. For interacting with the Google Drive api, a refresh token is required.

The initial call is working as expected. I can then use the Auth0 api to get the full user profile, which will then include the needed access_token and refresh token in the identities property.
So far so good, but when I log out from our application and go through the login procedure, the next time I request the user profile, the refresh token is missing.

As I understood, Google only exchanges the refresh on the first authentication, but it seems odd that this will clear the refresh token from the identies in the user profile.

The only solution I found so far is to include “approval_prompt=force” query parameter. But this results in a redundant constent screen being displayed every time a user logs in.

Is there any other way round this? I would prefer not to store the refresh token on our own server.

Hi @steven.oeyen ,

Welcome to the Auth0 Community!

I did some research around this topic, and looks like the only solution is what you have described.

Adding access_type=offline&approval_prompt=force to the authentication request, then Auth0 forwards those parameters to Google, and Google returns an access_token and an refresh_token.

I understand that you don’t want users to see a redundant consent screen being displayed every time they log in. You are welcome to submit your feedback here. Hopefully it can attract more votes and be implemented soon.

hi @lihua.zhang,
thanks for the quick follow up.
In that case I guess we will have to settle for that solution for now. I would be nice to somehow store those refresh tokens in Auth0 in the future