Manage & refresh refresh /access tokens for identity providers in Auth0


We are using a range of custom identity providers (for example, but not limited to, Gitlab, Atlassian etc.) using a social connection.
We need to interact with them from our backend using the access token obtained during authentication and perform some actions against these providers APIs on a regular basis (ie cronjobs).

A common practice is to provide short-lived access tokens. For example, Gitlab rolled out an new version last year with access tokens expiring after 2 hours. Atlassian is somehow similar.

We tried using Auth0 provided refresh_token to get a new access_token using identity provider API directly (at least with Atlassian and Gitlab). However, both access and refresh tokens seem to be rotated in that case.

Hence we cannot use the refresh token without updating the new one to Auth0. The reduced lifespan of the access_token make this operation critical now.

My questions are the following:

  1. What is the recommended way to handle renewal of access tokens using refresh tokens?
  2. How and where to store new access tokens and refresh tokens after they are updated?
  3. Is updating custom IDP tokens in the Auth0 user profile possible?

I saw similar questions a few times on this forum but didn’t find the definitive answer so far. I’ve seen code samples for specific IDPS, also some answers are 5+ years ago.

The primary reason we decided to use Auth0 is to avoid storing sensitive data such as users’ access tokens in our backend. The current setup defeats the purpose (or I am missing something here).

It would be great if Auth0 would have some extensibility points (webhooks, callbacks, dedicated IdP token API), or at least would have a clear documentation and guidelines on how to handle these tokens right.