Auth0 Home Blog Docs

Renewing Google API access token without offline access doesn't work anymore. Auth0 bug?

auth0
api
google
access-token

#1

Hi!

I have a problem since migrating to the new Auth0 API after getSSOData() got deprecated.
Context: I’m using angular-auth0 in the frontend. I want to upload files to a user’s Google Drive. The user is logged in for up to 7 days on my page, but the Google access token is only valid for 60mins. So I activated the ‘Use Auth0 instead of the IdP to do Single Sign On’ switch in the dashboard and used the sso-endpoint to check if the user is logged in and silently signed him in again so the Google token refreshes. This worked without asking for offline access with the following code

//... gets called if the last relogin is 60mins+ ago
angularAuth0.getSSOData(function (err, data) {
    var lastUsedConnection = data.lastUsedConnection;
    var connectionName = (_.isUndefined(lastUsedConnection) ? undefined : lastUsedConnection.name);
    var isGoogle = (_.isUndefined(connectionName) ? false : connectionName === "google-oauth2");
    if (!err && data.sso && isGoogle) {
        localStorage.setItem("last-relogin", new Date().getTime());
        try {
            angularAuth0.signin({
                connection: data.lastUsedConnection.name,
                state: $location.path()
            });
        }
        catch (e) {
            logout();
        }
    }
    //...
}

This forced a new silent login, resulting in a fresh Google access token. It worked just fine.

However, after Auth0 deprecated the sso-endpoint, the above code stopped working. So I migrated to the new version and tried to use checkSession(). But the behaviour is different. It does refresh the token, but only the Auth0 token and not the Google token.

So I tried to use the authorize()-function, but it also doesn’t refresh the Google token. It’s weird because in the dashboard it logs as “Success Login” - same log event as a normal login if the user gets redirected to the Google oauth-screen. But only and only if the user gets redirected to the Google oauth-screen and clicks his account, the token gets refreshed. Not if the authorize-endpoint logs him in “silently” (silently as in only redirecting him to my redirectUri, bypassing the Google oauth screen).

This behaviour is not acceptable for my service, because every Google API-call fails if the user manually logged in 60mins+ ago. As a workaround I decreased the expire time of the Auth0 token from 7 days to 60mins, so the user is forced to go through Google’s oauth screen as soon as the API token expires, but that is a real bummer, especially because it worked with the old Auth0 API.

So, is there any way to get the old behaviour with the new API? Or is this a bug in the new API? How am I able to refresh the Google access token? I don’t want to ask for offline access.

Best regards
phlow