[Feature Parity Issue] ActionsV2 Missing External IDP Refresh Token Support
Use Case: Centralizing identities for internal + external users (supporting external IDPs like Entra), and enabling our microservices to make API calls on behalf of authenticated users.
Environment: Self-hosted (privacy/security requirements)
Version: recent v4 / Cloud for PoC
Stack: Go microservices, gRPC architecture
What we're trying to achieve:
Capture external IDP access & refresh tokens during authentication flow so our backend services can call external APIs (e.g., Microsoft Graph) on behalf of the user.
What worked in ActionV1:
The External Auth Post Authentication hook (as of this commit) provided access to both access & refresh tokens from external IDPs.
The gap in ActionsV2:
The equivalent endpoint doesn't expose refresh tokens, breaking feature parity. Since ActionV1 will be deprecated in v5, we need this capability in ActionsV2 to build our new IDP system without technical debt.
Related issue/context:
#7851 discusses automatic token refresh, but at minimum, ActionsV2 should provide refresh token access like ActionV1 does.
Migrate from Actions v1 to v2 which lists
RetrieveIdentityProviderIntent response as the relevant event to trigger post Auth action.
Question: Is there a workaround for accessing external refresh tokens in ActionsV2, or is this a planned feature?1 Reply
Hi @twellck, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. External Authentication Flow (1) : Documents the Post Authentication action parameters including
accessToken and refreshToken fields in the ctx parameter, which should provide access to external IDP tokens.
2. Managed third-party access_token (2) : This open GitHub issue discusses the exact use case you're describing - capturing and managing external IDP access and refresh tokens, with users noting that only the access token is available in the Post-Authentication action.
To learn more, see the sources I considered:
[1] External Authentication Flow
[2] Managed third-party access_token
Feel free to tag @Ask Inkeep with additional questions.