Please ignore my previous answer, as it only applies when you want to login with Google, but in your case you need to also call the Google APIs (such as calendar). Then of course, you’d need to deal with the Google tokens directly. So, sorry about the confusion here.
So according to the docs, for Google, you would need to add access_type: offline to the /authorize request:
Call an Identity Provider API :
For certain Identity Providers, Auth0 will store a Refresh Token which you can use to obtain a new Access Token for the IdP. This works for: BitBucket, Google (OAuth 2.0), […].
Identity Provider Access Tokens :
There is no standard way to renew IdP Access Tokens through Auth0. The mechanism for renewing IdP Access Tokens varies for each provider.
- Google OAuth 2.0 (you need to pass the parameter
access_type=offlinewhen calling the Auth0/authorizeendpoint)
Get the IdP Refresh Tokens in the same way as Access Tokens, using the /api/v2/user/{user-id} endpoint. The Refresh Tokens will be available in the
identitiesarray, under the element for the particular connection.
So, regarding our questions:
How do we get Auth0 to hold onto the Google refresh token?
In order to make Auth0 get a refresh token in the first place, your SPA needs to make the authorize request with the parameters:
access_type: "offline"
as well as the respective audience to the authorize request, such as:
connection_scope: "https://www.googleapis.com/auth/calendar.events.readonly"
Example here: Can't get google refresh token using auth0.js - #2 by vinicius.spagnol
Once Auth0 receives the Google refresh token, how do we retrieve it?
Afterwards, the refresh token is in the user profile’s identities, which you can get via Auth0 Management API from your backend.
Once the Google refresh token is retrieved, how should it be stored long-term?
Either store it securely in your backend (i.e. database) or fetch it from a user profile via Auth0 management API when you need it.
Regarding storing the Google tokens, I actually found a similar question here: