Per https://developers.google.com/identity/sign-in/web/server-side-flow in order to get a refresh token, the client must grant offline access. However, I see no way to do that using the new API. What's the proper way to get a refreshed token using the Google button, so the user doesn't need to re-login every hour?
Asked
Active
Viewed 695 times
2
-
Please provide enough code so others can better understand or reproduce the problem. – Community Sep 06 '21 at 13:50
-
This answer solved it for me: https://stackoverflow.com/a/69746036/380316 – Oded Ben Dov Oct 11 '22 at 12:41
1 Answers
3
Authentication for sign-in has been separated from authorization for data access in he new API.
In the new API authentication does not require or use access or refresh tokens, instead a signed JWT ID token credential containing the user profile is shared after user consent. This greatly simplifies the level of effort and need to manage tokens during app sign-up or sign-in.
If you're performing authorization to access Google APIs and storing refresh tokens on your backend, then a server-to-server OAuth flow is appropriate.
Another clarification, user sign-in to your app and maintaining session state are separate concepts and should be handled separate from backend processes which may use an offline refresh token to perform actions through a Google API on behalf of the user while they are not logged in.
bdid
- 485
- 2
- 6
-
I don't entirely follow. Our current flow: 1. Log in on webpage, grab token. 2. Send token to server, server authenticates with Google, log into our server. This works fine for initial login, the issue comes when we disconnect (due to timeout, etc.) from our server. When this happens, we have to log in again. With Apple login, we can send a refresh token and handle this seemlessly. With Google login, it seems like we have to prompt the user for a new token? Unfortunately, this only works with one tap and the user can't ever dismiss the window, otherwise it automatically cancels out. – Miranda Schubert Sep 09 '21 at 21:03
-
If a user is signed into their Google Account, or your platform are two distinct things. The JWT tells you the user has successfully authenticated and signed into their Google Account. They may sign in/out of the G.A. independently of your site. You have have a valid user session to your site it is not necessary to display One Tap and obtain a new JWT. Given the flow you described it seems like you can simply choose to not render One Tap if the user has a valid session on your site and you're good. Put another way, replace the refresh token handling with a check to display One Tap or not. – bdid Sep 13 '21 at 20:24
-
@bdid I don't quite follow. Does this mean I need to negotiate my own session cookie with the client after he has sent me the Google JWT (Because that will run out in 1 hour and can't be used for authentication after that time)? Because if so I would basically have to roll out and refresh my own jwt since I am using a serverless app – user2741831 Sep 19 '21 at 13:46
-
Google's systems will not issue a session cookie for your use, nor is the JWT intended as a means to establish and manage a user session. The JWT is simply a secure means to convey user profile info. – bdid Sep 23 '21 at 15:18