From 06da599fbc0cf74c2ab1badcaaa5cda1b53d895f Mon Sep 17 00:00:00 2001 From: Bobby DeSimone Date: Mon, 8 Apr 2019 17:32:40 -0700 Subject: [PATCH] internal/identity: replace legacy approval_prompt=force with prompt=consent(#82) Fixes a bug where caused by setting both prompt=consent and approval_prompt=force. --- internal/identity/google.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/identity/google.go b/internal/identity/google.go index 8f502b155..66655884c 100644 --- a/internal/identity/google.go +++ b/internal/identity/google.go @@ -119,14 +119,14 @@ func (p *GoogleProvider) Revoke(accessToken string) error { // Support for this scope differs between OpenID Connect providers. For instance // Google rejects it, favoring appending "access_type=offline" as part of the // authorization request instead. -// Google only provide refresh_token on the first authorization from the user. If user clears +// Google only provide refresh_token on the first authorization from the user. If user clears // cookies, re-authorization will not bring back refresh_token. A work around to this is to add // prompt=consent to the OAuth redirect URL and will always return a refresh_token. // https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess // https://developers.google.com/identity/protocols/OAuth2WebServer#offline // https://stackoverflow.com/a/10857806/10592439 func (p *GoogleProvider) GetSignInURL(state string) string { - return p.oauth.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.ApprovalForce, oauth2.SetAuthURLParam("prompt", "consent")) + return p.oauth.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", "consent")) } // Authenticate creates an identity session with google from a authorization code, and follows up