I have an access token from an IDP (Box). Unfortunately the access token only lasts an hour, so I need to use the refresh token that Box returns to update the access token. My understanding is that refresh tokens are only supported for certain IDPs (Identity Provider Access Tokens).
How would I go about getting the refresh token when my user logs into their Box account?
Your understanding is correct and Box is on the not supported list; one possibility would be for you to perform an additional OAuth2 authorization request directly to Box. Given the end-user just authenticated to Box it’s highly likely that this second request will either only request for additional consent (if you require additional scopes/permissions that the authentication one did not grant) or even not require any interaction from the end-user.
Have in mind that the above may differ depending on the OAuth provider in question (some may not even support it) and that in this case Box will have to allow to have a client application registered both with an Auth0 redirect URL to handle the login flow and also a redirect to your client application itself to handle the authorization flow that would get you a refresh token.