3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-03 03:12:50 +02:00
Code Issues Projects Releases Packages Wiki Activity

Force requesting refresh_token from Google

Browse source 
Google only provide refresh_token on the first authorization from the user. If user clears cookies, re-authorization will not bring back refresh_token. A work around to this is to add prompt=consent to the OAuth redirect URL and will always return a refresh_token.
This commit is contained in:
Lian Duan 2019-04-08 16:07:51 +02:00 committed by GitHub
parent 7bf257f6e9
commit f54bf3f291
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
internal/identity/google.go
View file

@ -119,11 +119,14 @@ func (p *GoogleProvider) Revoke(accessToken string) error {
// Support for this scope differs between OpenID Connect providers. For instance
// Google rejects it, favoring appending "access_type=offline" as part of the
// authorization request instead.
//
// Google only provide refresh_token on the first authorization from the user. If user clears
// cookies, re-authorization will not bring back refresh_token. A work around to this is to add
// prompt=consent to the OAuth redirect URL and will always return a refresh_token.
// https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
// https://developers.google.com/identity/protocols/OAuth2WebServer#offline
// https://stackoverflow.com/a/10857806/10592439
func (p *GoogleProvider) GetSignInURL(state string) string {
return p.oauth.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.ApprovalForce)
return p.oauth.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.ApprovalForce, oauth2.SetAuthURLParam("prompt", "consent"))
}
// Authenticate creates an identity session with google from a authorization code, and follows up