IDP's access_token is missing in the profile's response

We followed the following linke to get the access_token for the Identity Providers. We (our developers) spend a lot of time in troubleshooting the issue as we not seeing access_token of the Identity Provider.

Contrary, to the above document the response never has access_token. Here is below curl we used for testing

curl --request GET \
  --url 'https://<ACCOUNT>auth0.com/api/v2/users/<USER_ID>' \
  --data '{"grant_type": "client_credentials", "client_id": "<CLIENT_ID>", client_secret": "<CLIENT_SECRET>", "audience": "<AUDIENCE>"}' \
  --header 'authorization: Bearer <ACCESS_TOKEN of AUTH0'

Response

{  
   "email":"<email>@gmail.com",
   "email_verified":true,
   "name":"stac tom",
   "given_name":"stac",
   "family_name":"tom",
   "picture":"<picture_path>",
   "gender":"male",
   "locale":"en",
   "updated_at":"2018-04-29T13:21:44.680Z",
   "user_id":"<User_ID>",
   "nickname":"<nickname>",
   "identities":[  
      {  
         "provider":"google-oauth2",
         "user_id":"<USER_INT_ID>",
         "connection":"google-oauth2",
         "isSocial":true
      }
   ],
   "created_at":"2018-04-05T03:29:10.083Z",
   "last_ip":"<IP>",
   "last_login":"2018-04-29T13:21:44.680Z",
   "logins_count":129
}

Also we have following scopes selected in the Auth0 Portal

read:user_idp_tokens
read:users

What is it you’re trying to accomplish with the IdP? I do see that in your example above, you’re also missing the "expires_in": from the `“identities” collection… which makes me wonder if you need to refresh that user’s connection to the IdP? Have you checked other users to see if you have the same results?

I was expecting for an IDP (which is github in this case)'s accesst_token, so i can use that token against github api.

This was not about refreshing tokens, so far i cannot get the access_token for github.

and same case for google accout.

As we cannot get access_token and expires_time when tested against github and google IdP. Please let us know what was wrong in our test we followed everything as per the document. Was the document not upto date?

We can do a quick test/check that the access token is present through the API explorer in the browser: Auth0 Management API v2 (make sure to set the API token to use the explorer, instructions here with the read:user_idp_tokens scope set as well). You should be able to see the access_token under the identities field. I was able to to obtain tokens for both Google and GitHub accounts. Please let me know.

When we call the /v2/users/ endpoint we send the management api v2 access token and the non-interactive client, the one making the request, should have the scope read:user_idp_tokens set. So this all looks to be good along with your settings for client credentials grant. I am going to list the values just to verify:

"client_id":"NON_INTERACTIVE_CLIENT_ID",
"client_secret":"NON_INTERACTIVE_CLIENT_SECRET",
"audience":"https://YOUR_DOMAIN.auth0.com/api/v2/",
"grant_type":"client_credentials"

Another place we can check is if we have any Rules or Hooks that are running that may be causing an issue.

Just tested, i still don’t see the access_token or expiry_time

image

I have tested in the link you provided. It sends output successfully but the not what i was looking for. Should i create another auth0 account and test it? Was it because ours is free account?

I have tested again, this time i did not use the access_token which receive along with identityToken instead i queried for identity mangement’s access token and used that token to get the profile. Now I can see the access_token of the IdP

@stackflow1 awesome! Is the access_token for the IdP the only thing you were having trouble retrieving? Let us know if you have any other issues going forward. Glad to see you got it working!

Thanks for you help. That is right only the access_token for the IdP. But i want to understand the difference between the access_token that receives along with id_token at the client side. I use the following code to receive the access token. And when using that access_token to query agains Identity Management api v2, i was not able to get the access_token for IdP.

        new Auth0Lock(config.AUTH0_CLIENT_ID, config.AUTH0_DOMAIN, {
            auth: {
                redirectUrl: config.REDIRECT_URL,
                responseType: 'token id_token',
                audience: config.AUTH0_API_AUDIENCE,
                params: {
                    scope: 'openid profile email read:users read:current_user read:user_idp_tokens',
                },
            },
            theme: {
                primaryColor: '',
            },
        })

But when i try to pull access_token as below, that token works to retrieve the access_token for IdP. Not sure what was the difference between the one i pulling form the client vs the other one(/oauth/token) that i need to call.

curl --request POST \
  --url https://cdmbase-test.auth0.com/oauth/token \
  --header 'content-type: application/json' \
  --data '{"client_id":"<CLIENT_ID>","client_secret":"<CLIENT_SECRET>","audience":"<AUDIENCE>","grant_type":"client_credentials"}'

:wave: @stackflow1 were you able to get the access_token for the IdP?