Our scenario is really simple. We want to use Google as the IdP and we have a SPA and a backend service that need to call an external Google API.
How is it possible to get a refresh token from Google without using Lock0? I didn’t find any documentation about this. Do I need to pass the access_offline scope and Auth0 will handle the thing for me?
Afterward, I think that the plan is partially clear
- Store the refresh token in app_metadata using a predefined Auth0 rules
- In the backend, call the ManagementAPI to get the Google access_token (in identities) and refresh_token (in app_metadata)
After those steps :
Do I use the access_token in identities to make the call to the external Google API and only get a new access_token when the call fails
Or, do I simply get a new access_token using the refresh_token and store those access_token in a cache backend and validate the expiration myself? If the same user returns and is token did not expired I reuse it, otherwise I get a new access_token.
Which of these options is better?
Last question : How do I use the Google refresh_token to get a new access_token? I use the Auth0 API (https://auth0.com/docs/api/authentication#refresh-token) or the Google OAuth API?