Javascript Rule-Based Authentication

Store Google Refresh Token

What does it do?

In some scenarios, you might want to access Google APIs from your application. You do that by using the access_token stored on the identities array (user.identities[0].access_token). However access_tokens have an expiration and in order to get a new one, you have to ask the user to login again. That's why Google allows asking for a refresh_token that can be used forever (until the user revokes it) to obtain new access_tokens without requiring the user to relogin.

The way you ask for a refresh_token using Lock is by sending the access_type=offline as an extra parameter as explained here using the auth.params object in Lock's options.

The only caveat is that Google will send you the refresh_token only once, and if you haven't stored it, you will have to ask for it again and add approval_prompt=force so the user explicitly consent again. Since this would be annoying from a user experience perspective, you should store the refresh token on Auth0 as a persistent property of the user, only if it there is a new one available.

How do I use it?

Just create a new rule in the Auth0 dashboard, and copy the following code replacing the placeholders with the appropriate values.

What is Rule-Based Authentication?

A rule is arbitrary JavaScript code that can be used to extend Auth0s default behavior when authenticating a user. Enabled rules will be executed in the order shown below for all users and applications as the final step of the authentication process.

Rules can be used to enrich and transform the user profile, deny access to specific users under certain conditions, retrieve information from external services and much more. For more information about rules, please check the documentation