Identity Provider Access Tokens
Identity providers issue third-party access tokens after users authenticate with that provider. You can use these access tokens to call the API of the third-party provider that issued them. For example, you can use an access token issued after a user authenticates with Facebook to call the Facebook Graph API.
For individual users, the identity provider tokens are available in the identities
array on the user
object under the element for the particular connection. To securely access tokens for a specific user, you need an access token for the Management API that includes the read:user_idp_tokens
scope. Then, you can make an HTTP GET call to the Get a User endpoint to retrieve the tokens.
For admin users of Enterprise connections set up using an OAuth 2.0 consent flow, the identity provider tokens are available in the connection
object. To securely access tokens for a connection, you need an access token for the Management API that includes the read:connections
scope. Then, you can make an HTTP GET call to the Get a Connection endpoint to retrieve the tokens.
Renew third-party tokens
There is no standard way to renew identity provider access tokens through Auth0. The mechanism for renewing identity provider access tokens varies for each provider. For certain identity providers, Auth0 can store a refresh token, which you can use to obtain a new access token for the identity provider. Here is a list of some of the identity providers:
BitBucket
Google OAuth 2.0 (pass the parameter
access_type=offline
, as well theconnection_scope
parameter with required scopes, when calling the Auth0/authorize
endpoint)Any other OAuth 2.0 identity provider
SharePoint
Azure AD
You can retrieve refresh tokens in the same manner you retrieve access tokens. Review the guidelines above for more information.
Validate third-party tokens
In general, if you have received an access token from an identity provider, you don't need to validate it. You can pass it to the issuer, and the issuer takes care of the rest.