Identity Provider Access Tokens

Identity providers issue third-party access tokens after users authenticate with that provider. You can use the access tokens to call the API of the third-party provider that issued them. For example, an access token issued after a user authenticates to Facebook can be used to call the Facebook Graph API.

The user becomes authenticated with the identity provider when an HTTP GET call to the /api/v2/users endpoint occurs. To call this endpoint, you need an access token for the Management API that includes the read:user_idp_tokens scope. The access token for the identity provider will be available in the identities array, under the element for the particular connection.

The contents of third-party access tokens will vary depending on the issuing identity provider. Because tokens are created and managed by a third-party (such as Facebook, GitHub, etc.), the validity period for third-party tokens will vary by the issuer. If you believe these tokens have been compromised, you must revoke or reset them with the third-party that issued them.

Renew third-party tokens

There is no standard way to renew identity provider access tokens through Auth0. The mechanism for renewing identity provider access tokens varies for each provider. For certain identity providers, Auth0 can store a refresh token, which you can use to obtain a new access token for the identity provider. Here is a list of some of the identity providers:

  • BitBucket

  • Google OAuth 2.0 (pass the parameter access_type=offline, as well the connection_scope parameter with required scopes, when calling the Auth0 /authorize endpoint)

  • Any other OAuth 2.0 identity provider

  • SharePoint

  • Azure AD

Get the identity provider refresh tokens in the same way as access tokens, using the /api/v2/users endpoint. The refresh tokens will be available in the identities array, under the element for the particular connection.

Validate third-party tokens

If you have received an access token from an identity provider, in general, you don't need to validate it. You can pass it to the issuer, and the issuer takes care of the rest.

Learn more