I'm using Auth0 Lock with the google-oauth2 connection and I need to get a refresh_token because I need to make API calls from the server-side when the user is offline.
I'm following their guide but it's not working, refreshToken is always undefined.
Using http://cdn.auth0.com/js/lock/10.7.2/lock.min.js
this.lock = new Auth0Lock('...', 'xxx.eu.auth0.com', {
initialScreen:'login',
allowedConnections: ['google-oauth2'],
allowSignUp: false,
auth: {
redirect: false,
responseType: "token",
params: {
'access_type': 'offline',
'approval_prompt': 'force',
},
},
autoclose: true
});
Tried also with params
'approval_prompt': 'force' or 'prompt': 'select_account consent'
Instructions here: https://github.com/auth0/rules/blob/master/rules/google-refresh-token.md
That rule is wrong. IdP access_tokens are available through the management API. See this endpoint: https://auth0.com/docs/api/management/v2#!/Users/get_users_by_id
A special scope is required (read:user_idp_tokens).
This is because IdP tokens are sensitive artifacts, so Auth0 puts an extra layer of security to obtain them.
You can of course call the API from a rule, but we'd likely advise against it and instead have your backend act on behalf of your (front-end) app.