[Feature Parity Issue] ActionsV2 Missing External IDP Refresh Token Support

Use Case: Centralizing identities for internal + external users (supporting external IDPs like Entra), and enabling our microservices to make API calls on behalf of authenticated users.
Environment: Self-hosted (privacy/security requirements)
Version: recent v4 / Cloud for PoC
Stack: Go microservices, gRPC architecture

What we're trying to achieve:
Capture external IDP access & refresh tokens during authentication flow so our backend services can call external APIs (e.g., Microsoft Graph) on behalf of the user.

What worked in ActionV1:
The External Auth Post Authentication hook (as of this commit) provided access to both access & refresh tokens from external IDPs.

The gap in ActionsV2:
The equivalent endpoint doesn't expose refresh tokens, breaking feature parity. Since ActionV1 will be deprecated in v5, we need this capability in ActionsV2 to build our new IDP system without technical debt.

Related issue/context:
#7851 discusses automatic token refresh, but at minimum, ActionsV2 should provide refresh token access like ActionV1 does.
Migrate from Actions v1 to v2 which lists

RetrieveIdentityProviderIntent

RetrieveIdentityProviderIntent

RetrieveIdentityProviderIntent

RetrieveIdentityProviderIntent response as the relevant event to trigger post Auth action.

Question: Is there a workaround for accessing external refresh tokens in ActionsV2, or is this a planned feature?

Ask Inkeep•10/28/25, 5:03 AM

Hi @twellck, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•10/28/25, 5:03 AM

Answer

I wasn't able to find a direct answer, here are some relevant sources:

External Authentication Flow (1) : Documents the Post Authentication action parameters including
```
accessToken
```
```
accessToken
```
and refreshTokenrefreshToken fields in the
```
ctx
```
```
ctx
```
parameter, which should provide access to external IDP tokens.
Managed third-party access_token (2) : This open GitHub issue discusses the exact use case you're describing - capturing and managing external IDP access and refresh tokens, with users noting that only the access token is available in the Post-Authentication action.

Ask Inkeep•10/28/25, 5:03 AM

To learn more, see the sources I considered:

[1] External Authentication Flow
[2] Managed third-party access_token

Ask Inkeep•10/28/25, 5:03 AM

Feel free to tag @Ask Inkeep with additional questions.

AAsk Inkeep To learn more, see the sources I considered: [[1] External Authentication Flo...

Ask InkeepAPP•10/28/25, 10:57 PM

Got it. Tagging @Rajat for additional help.

bawsky•11/3/25, 1:42 PM

Also very interested on this - in addition to making requests on behalf of the user (using the IDP's access tokenaccess token), getting other bits IDP information in detail (/userinfo/userinfo response, id tokenid token exact claims) is very helpful to troubleshoot integrating non-standard IDPs (which may violate OIDC/OAuth standards and may require debugging)

Rajat•11/3/25, 7:25 PM

hey @twellck thank you for this detailed summary, I will escelate it internally and will get back to you

Rajat•11/3/25, 10:17 PM

hey @twellck this has been raised internally, I should have something to inform on tomorrow.

twellckOP•11/4/25, 1:22 AM

Sounds good, thanks!

Rajat•11/5/25, 6:30 PM

hey @twellck @bawsky you can open a bug issue for the same. The refresh token scope is used, but the refresh token is not added in the IDP object.

Rajat•11/5/25, 6:31 PM

This was tested/confirmed internally

twellckOP•11/7/25, 12:04 AM

No worries, thanks for confirming this @Rajat!
Just opened an issue: https://github.com/zitadel/zitadel/issues/11047

GitHub

[Bug]: RetrieveIdentityProviderIntent / ActionsV2 Missing Refresh T...

Preflight Checklist I could not find a solution in the documentation, the existing issues or discussions I have joined the ZITADEL chat Environment ZITADEL Cloud Version v4 Database None Database V...