NextJS missing Google refresh token

I am building a NextJS app. I have read that i need to pass the offline_access to the scopes to get a refresh token from Google. I did this as per the docs using the AUTH0_SCOPE env var. However when I use the management API, I only see an access_token from google.

How can I get a refresh_token from google?

Hey there @matusgallik008 welcome to the community!

I haven’t had the chance to verify this myself, but it looks like getting a refresh token in particular from Google is covered here:

Hope this helps!

@tyf thanks for the response. Yea I read it and they discuss calling the /authorize route, but I am using the nextjs lib. I dont see where I am calling this route so I am a bit confused as to how to use the answer provided there. I added offline_access to my AUTH0_SCOPES variable as per docs but that does not change it.

Hey @matusgallik008 sorry I wasn’t more clear in my response - The authorize request to Google is constructed by the SDK when a user clicks “Continue with Google” in the Universal Login widget. I have only tested this in auth0-react, but I believe all you need to do is add access_type=offline to the AuthorizationParameters.

When you click to login with Google, you should see a url like this (notice access_type=offline in the address bar:

I will note that the Google refresh token only remains in the Identities array on initial login - It will be cleared after subsequent logins from the user.

Out of curiosity, what are you looking to use the Google refresh token for? You might be looking for the Auth0 refresh token (separate artifact) but I’d like to make sure.

Cheers!

Hi @tyf

Hmm okay, i am not fully sure what you mean by Universal Login widget, but Ill have a look if I can find smthing like that in the docs.

Ah,so only the initial login will have the refresh_token in the user object from the management api?

I think I need the Google token - I want to access Gmail on my users behalf and I need it asynchronously (so possibly the current Google session expired).

Cheers,
Matt

Hi @matusgallik008 :wave:

So the access_type=offline parameter typically relates to the situation where you require an Auth0 Refresh Token. For clarification, Auth0 tokens - i.e. ID Token, Access Token and Refresh Token - are independent artefacts and are separate from those generated by Google or any other OIDC/OAuth 2 compliant upstream IdP .

When you use “Continue with Google” in Universal Login, Auth0 is leveraging the Google Authorization Server as an upstream IdP. The same is true if you use the likes of Facebook, Twitter or any other 3rd party supported by Auth0: the Authorization Server provided by those services are used as the upstream IdP. For convenience, Auth0 typically stores the Access Token that might returned by an upstream IdP; such a token is stored as part of the user’s profile record in the corresponding entry in the identities array (as mentioned in previous comments). Such tokens are typically short-lived, and typically are provided so that Auth0 Extensibility - such as an Action, Rule or Hook - can call upstream IdP services to obtain additional information about a user. Auth0 does not typically store any Refresh Token delivered by an upstream IdP.

If your application is looking for a Google specific Access Token (or Google specific Refresh Token) in order to call Google specific APIs - either directly, or via one of the many Google SDKs (such googleapis) - then you will typically need to redirect to the Google Authorization server directly in order to obtain said token. You can do this once authentication via Auth0 has completed, and it should be a seamless operation - i.e. the user should not be asked to interactively login - as the (Google) SSO session already established by authenticating via Auth0 will be used. You can find more on Google Authorization here.

Hope this helps :sunglasses:

1 Like