EDIT to newest flow that still doesn’t work. LAST EDIT → I gave up and went to google oauth and was done in way less time than auth0 so going with straight app → google or app->3rd party going forward instead for speed. There is just no responses and no docs on the flow for refresh token.
This has become so complicated, I keep thinking of ditching auth0 
and just using google straight up to prevent the man in the middle confusion.
I read through this post Having trouble enabling Allow Offline Access however I still need a refresh token I believe for gmail apis. I was trying to get it through the mgmt api but that only gave me an access token that I could use for 1 hour and then my app stops working.
I had login working doing this but now I have no refresh token so that I can call gmail apis on the user’s behalf once per week (ie. offline)
-
redirect to auth0 /authorize
String url = "https://"+domain+"/authorize" + "?response_type=code" + "&client_id=" + auth0Config.getClientId() + "&scope=" + urlEncodedScope + "&state="+urlEncodedSecret+ "&access_type=offline"+ "&audience="+urlEncodedAudience "&redirect_uri="+ urlEncodedCallbackUrl.get(); -
auth0 redirects back to my /callback
-
I decode the jwt and have aud, sid, etc and see the AUTH0 refresh token
-
I then call /oauth/token with scopes “openid profile email phone offline_access” and grant type ‘authorization_code’ . This seems to give me a valid refresh token
-
I then call /api/v2/users/{id} and this gives me google access token but no refresh token still
Where in the flow am I going wrong here so I can get a refresh token for the user so I can fiddle with the stuff he wants once per week in gmail?
This document fetches the management api refresh token NOT the google refresh token (that was not clear but I get it now) → Get Refresh Tokens
I read another doc that shows getting google’s access token BUT it does not show how to get the refresh token → Call an Identity Provider API
In the end I also tried to see if calling /api/v2/users/{id} would get me a new access token but it did not and using google’s curl endpoint showed that the token expired and auth0 was not refreshing it. I am investigating moving completey to google now as I have exhausted all options from what I can tell and there is no step by step on 3rd party identity provider refresh tokens (probably easier to integrate on my own with each one since they do have refresh token docs where auth0 does not really and you have to piece together many docs and forum posts - I could not piece it together I guess)
I see no document on full steps to get the google refresh token and tried to piece together forum posts but could not.
thanks,
Dean