Problem:
I’m having difficulty storing and retrieving users’ Google refresh tokens, which I should theoretically only get the first time the user logs in.
Context:
Setup: SPA with a React front-end and a Node/Express backend.
Signup flow: social login-only with Google
When signing up, we get permissions to query their Google calendar and therefore need their Google refresh token in order to be able to continue to query their Google account without needing them to re-login every hour.
I implemented the flow shown HERE
Questions
-
How do we get Auth0 to hold onto the Google refresh token?
In auth-lock, I needed to passscope: offline_access
when authorizing the user’s signup in order for Auth0 to not throw away the refresh token. In auth0-spa I don’t see an obvious place to add this scope. I think the most promising options are in the auth_config.json file or in theloginwithredirect()
function, but I tried stuff in both and couldn’t get the Google refresh token to show in the profile. How do I get Auth0 to hold onto the Google refresh token? -
Once Auth0 receives the Google refresh token, how do we retrieve it?
In auth-lock, I needed to hit the Auth0 Management API to retrieve the user’s profile and include params to get theiridentities
data, which contained the Google refresh token. I’m still able to retrieve identities using this approach now; is this still the right way to do it? -
Once the Google refresh token is retrieved, how should it be stored long-term?
It seems like it should be stored in some kind of rule, or in our DB. Auth0 documentation seems to imply that we should store it in DB, which is ironic since one of the main reasons why we used Auth0 is so that we aren’t storing sensitive data. What is the preferred way to store the Google refresh token?