From f54bf3f291248809668f0eaca14003062ba8f5a8 Mon Sep 17 00:00:00 2001 From: Lian Duan Date: Mon, 8 Apr 2019 16:07:51 +0200 Subject: [PATCH] Force requesting refresh_token from Google Google only provide refresh_token on the first authorization from the user. If user clears cookies, re-authorization will not bring back refresh_token. A work around to this is to add prompt=consent to the OAuth redirect URL and will always return a refresh_token. --- internal/identity/google.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/internal/identity/google.go b/internal/identity/google.go index 3de177a27..8f502b155 100644 --- a/internal/identity/google.go +++ b/internal/identity/google.go @@ -119,11 +119,14 @@ func (p *GoogleProvider) Revoke(accessToken string) error { // Support for this scope differs between OpenID Connect providers. For instance // Google rejects it, favoring appending "access_type=offline" as part of the // authorization request instead. -// +// Google only provide refresh_token on the first authorization from the user. If user clears +// cookies, re-authorization will not bring back refresh_token. A work around to this is to add +// prompt=consent to the OAuth redirect URL and will always return a refresh_token. // https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess // https://developers.google.com/identity/protocols/OAuth2WebServer#offline +// https://stackoverflow.com/a/10857806/10592439 func (p *GoogleProvider) GetSignInURL(state string) string { - return p.oauth.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.ApprovalForce) + return p.oauth.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.ApprovalForce, oauth2.SetAuthURLParam("prompt", "consent")) } // Authenticate creates an identity session with google from a authorization code, and follows up