How to get a new Google access_token using refresh_token


Our scenario is really simple. We want to use Google as the IdP and we have a SPA and a backend service that need to call an external Google API.

How is it possible to get a refresh token from Google without using Lock0? I didn’t find any documentation about this. Do I need to pass the access_offline scope and Auth0 will handle the thing for me?

Afterward, I think that the plan is partially clear

  1. Store the refresh token in app_metadata using a predefined Auth0 rules
  2. In the backend, call the ManagementAPI to get the Google access_token (in identities) and refresh_token (in app_metadata)

After those steps :

Option 1

Do I use the access_token in identities to make the call to the external Google API and only get a new access_token when the call fails

Option 2

Or, do I simply get a new access_token using the refresh_token and store those access_token in a cache backend and validate the expiration myself? If the same user returns and is token did not expired I reuse it, otherwise I get a new access_token.

Which of these options is better?

Last question : How do I use the Google refresh_token to get a new access_token? I use the Auth0 API (Authentication API Explorer) or the Google OAuth API?