How to get Google IDP Refresh Tokens once limit is reached: 'Excess refresh tokens were removed'

We have recently implemented Google refresh tokens as part of our login request. I was unaware of the 200 refresh token limit and we were not storing the refresh tokens on our side prior to some of our users reaching that limit. For the users that have reached that limit, no refresh token is being returned on the /users/{userId} api request.

Any advice on how we can get one of the access tokens for those users? do we need to reset the auth0 user?

Thank you!

Hi @jcee02,

Welcome to the Auth0 Community!

From our docs it sounds like a new token should replace an old one if you hit the limit. Are you not seeing this behavior? Could you also please give an example of the request you are using to retrieve the token (omit sensitive data).

Thank you!

Hi @dan.woda, thank you for the response. Here is the auth config I am using:

<Auth0Provider
        domain="{domain}"
        clientId="{clientId}"
        authorizationParams={{
          redirect_uri: window.location.origin,
          audience: "{apiDomain}",
          access_type: "offline",
          scope: "openid profile email offline_access",
          connection_scope: "https://www.googleapis.com/auth/gmail.readonly",
          aprroval_prompt: "force",
          useRefreshTokens: true
        }} >

Once that limit is reached and I see the token cleanup in my tenant logs for those users, the refresh token property is not returned in the identities array.

@dan.woda checking back here. Not sure if that config is what you were looking for or if you are looking for my auth0 user request:

GET: https://{tenant}.us.auth0.com/api/v2/users/{googleUserId}

Prior to the refresh token limit being hit, the refresh token value is included in that response as part of the identities array along with the access token.

@jcee02,

Apologies for the delay and thanks for the additional data.

What happens if you request another refresh token after the cleanup? i.e.:

  • Refresh token exists in the user identity
  • Token limit is hit and the cleanup happens
  • Request a new user refresh token on next login

The same request I make prior to the limit being hit does not return a refresh token once the limit is reached and the cleanup happens. The property is not in the user response where I get it prior to the limit being reached.

@dan.woda just checking in if there is any update on how I might handle this. Thank you!