feat(oauth2): support access_type=offline to enable refresh tokens from google
#303
Conversation
…authorization flow to get refresh token
|
Hi const DEFAULTS = {
// @see: https://developers.google.com/identity/protocols/OpenIDConnect#refresh-tokens
access_type: 'online',
}Also please add |
|
Hi, Sure, I have done that and also included docs for Thanks |
|
I should add that I have not tested the impact of these changes on non-Google oauth applications. |
|
Awesome! I'm also in need of offline access. This merge will be very welcome. |
|
This introduces explicit vulnerabilities that are against the Google TOS. Do not use this. Refresh tokens can not be safely handled on the client-side. |
|
@elson Did you successfuly managed to make it work? (get the refresh_token on login) :) |
|
@DevBrent I just saw your comment, thanks for raising this I did not realise there could be a problem. As far as I can tell, this change does not introduce any vulnerabilities - the refresh token is received on the server side during the code exchange performed by the However, you do need to set the https://developers.google.com/identity/protocols/OAuth2WebServer#offline Could you provide some more details regarding the violation of Google's TOS, and/or relevant documentation links? @gahabeen - Yes, with this change I have been receiving refresh tokens successfully. |
docs/schemes/oauth2.md
Outdated
| @@ -14,6 +14,7 @@ auth: { | |||
| authorization_endpoint: 'https://accounts.google.com/o/oauth2/auth', | |||
| userinfo_endpoint: 'https://www.googleapis.com/oauth2/v3/userinfo', | |||
| scope: ['openid', 'profile', 'email'], | |||
| access_type: 'online', | |||
There was a problem hiding this comment.
Isn't better to leave default undefined? Making usage optional.
There was a problem hiding this comment.
Yes, I think that would be ok
There was a problem hiding this comment.
Hi, are there any further thoughts on this? It would be great if it could be merged as I am keen to upgrade my version of the module to benefit from other recent improvements.
In my opinion the concerns raised by @DevBrent are important but ultimately it is down to the developer to ensure their server side authorisation step handles the refresh tokens responsibly. Nuxt auth has support for refresh tokens generally, so why not support Google refresh token generation as well?
There was a problem hiding this comment.
Other than making it optional PR looks fine for merge
There was a problem hiding this comment.
Ok done (pardon the omitted word in the commit message)
There was a problem hiding this comment.
Whoops, I think you meant to actually update the code, not just the docs.
Not sure why the tests are failing, but all steps fail when I try to run the locally, i.e. different failures to those in circleci.
pi0
changed the title
pi0
changed the title
access_type=offline to enable refresh tokens from google
Added support for access_type=offline, required by Google Oauth code exchange authorization flow to get refresh token on first login.
See https://developers.google.com/identity/protocols/OpenIDConnect#refresh-tokens
I set the default value for access-type to 'online', as this is the normal case when not doing a code exchange.