Auth0 Home Blog Docs

Manage and refresh access tokens for identity providers



We are using a custom identity provider and need to interact with it from our server side using the access token obtained during authentication.

This article Call an Identity Provider API explains the step by step workflow how to retrieve the access token (and refresh token) for the identity provider.

But what’s next?

What is the recommended way to handle renewal of access tokens using refresh token?
How and where to store new access tokens and refresh tokens after they updated?

I saw similar questions a few times on this forum but didn’t find the definitive answer so far.

I understand that our backend should have our own logic to interact with the identity provider directly to refresh tokens when needed.

But what is the best recommended way how and where to store the tokens?
As I understand it’s not possible to update tokens in the Auth0 user profile?

The primary reason we decided to use Auth0 is to avoid storing sensitive data such as users’ authentication keys in our storage.

It would be great if Auth0 would have some extensibility points (web hooks, callbacks, dedicated IdP token API), or at least would have guidelines how to make it right.