Hi community,
I need help with an Identity Provider (IdP) issue.
Situation: I can’t find a way to [refresh / create new] Google access tokens.
My Google Social connection is configured, and login with Google works fine. In the google-oauth2 > permissions, I have Google Calendar enabled.
I am using React / Rails. When I log in, it asks me for permission to access my calendar, which works fine, and I can get the access token.
To ensure it’s working, I can create events on the calendar and check them at: https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=IDENTITY_GOOGLE_ACCESS_TOKEN, and I have my account information.
The problem is: after the token expires or is revoked, I’m stuck.
I have tried many approaches based on various tickets (most closed without a solution) and GitHub issues.
While searching for how to refresh a Google access token, I found this:
Link 1: How to refrsh the access token provided by google
“Based on your description, you would like to refresh the access token provided by Google. For that use, you will need to revoke your access token with a refresh token that is provided to you with the access token.”
I don’t know if I understand this correctly. If I revoke, I will need to reauthenticate. Isn’t that breaking the Auth0 flow? Correct me if I’m wrong.
Link 2: Not getting back a refresh_token from Google · Issue #126 · auth0/auth0.js · GitHub
Even using the scope offline, offline_access, it does not work. As I know, the scope access_type offline should go to Google, and with the IdP token I got:
"sub": "1116854476550",
"scope": "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile openid",
"exp": "1719364447",
"expires_in": "3565",
"email_verified": "true",
"access_type": "online"
Link 3: Identity Provider Access Tokens
Here is more important information: Google OAuth 2.0 (pass the parameter access_type=offline, as well as the connection_scope parameter with required scopes, when calling the Auth0 /authorize endpoint)
I am not using the NextJS API for this, so where should I put this information?
I think it is not backend related because refresh_token does not affect M2M, as we can see here: Refresh token for M2M applications
I can reference many attempts I made, but I think the previous information is enough to move forward.
An important side note: Every time I log out and log in with Google again, the Google token in my identities is updated and works again, even if it had been revoked or expired previously.
Possible workaround: After considering the right way to solve this, can I use getAccessTokenSilently to refresh the Google identity token? If so, can I pass it via a cookie? I am not sure.
I am open to discussing this topic and to opening a PR to fix it in auth0-js core, if needed.