You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
TLDR: I've used the setup guide to get Google working as an SSO provider, up until my access_token expires. App throws A refresh_token is not available on subsequent POST to /auth/google_oauth2. Not using Devise. How can I mitigate this error, or bypass the refresh_token flow?
Setup
I've followed the setup guide in the README, and I am not using Devise.
I am able to POST /auth/google_oauth2 with a user and complete the account selection and consent screens, and am redirected to my callback endpoint with an access_token and refresh_token. However, once the access_token expires and my user is logged out of my application, when they POST /auth/google_oauth2 again to re-authenticate, I hit the token refresh flow within omniauth-oauth2: https://github.com/omniauth/omniauth-oauth2/blob/3a43234ab5dd36a75f9c125c58fcfe1a37b26805/lib/omniauth/strategies/oauth2.rb#L92
This makes sense, since the refresh_token is supplied only on the first authorization call to Google. However, what I don't understand is how I'm supposed to handle this.
I can only make this work if I edit the gemfiles and add to the existing code:
# control how quickly my access_token expires for testing purposes
fresh[:expires_in] = 1
# the actual fix: manually forcing my refresh token into the gem flow
fresh[:refresh_token] = "my valid refresh_token"
Rails.application.config.middleware.use OmniAuth::Builder do
if [feature flag enabled]
provider :google_oauth2,
[google client id],
[google client secret],
scope: 'email',
skip_jwt: true,
access_type: 'online'
end
end
OmniAuth.config.allowed_request_methods = %i[post]
OmniAuth.config.logger = Rails.logger
routes.rb
get '/auth/google_oauth2/callback', to: 'my_controller#google_callback'
index.html.erb:
= button_to 'Login with Google', '/auth/google_oauth2', method: :post
Questions
So to my questions:
The guides mention to store the refresh_token, but not how or where. How am I supposed to store and pass the refresh_token to this gem?
Can I bypass the refresh flow entirely? I'm only using this gem to authenticate users, and not to access any other Google API. Other issues on this gem suggest that only using prompt: 'consent' and access_type: 'offline' together are supposed to be the only way to get a refresh_token, but that doesn't influence whether this or underlying gems check for a refresh_token once the access_token is expired.
Additionally, is there a way to pass an expires_at, or expire_in argument to the gem for shortening the access_token expiration time for testing purposes?
I've looked into this issue across the multiple omniauth gem dependencies, and this gem for 5+ days, and haven't gotten anywhere. Any feedback or answers would be deeply appreciated 🙏 ❤️
The text was updated successfully, but these errors were encountered:
if you are only using this for login, then there is no need to log them out when the access_token expires. The only time you need to worry about refreshing the token is if you actually need to use it...
Also what exactly are you posting to the /auth/google/oauth2 endpoint? It shouldn't be seeing any access token, and therefore it wouldn't be expired... unless you are passing in the expired token.
TLDR: I've used the setup guide to get Google working as an SSO provider, up until my
access_token
expires. App throwsA refresh_token is not available
on subsequentPOST
to/auth/google_oauth2
. Not using Devise. How can I mitigate this error, or bypass therefresh_token
flow?Setup
I've followed the setup guide in the README, and I am not using Devise.
I am able to
POST /auth/google_oauth2
with a user and complete the account selection and consent screens, and am redirected to my callback endpoint with anaccess_token
andrefresh_token
. However, once theaccess_token
expires and my user is logged out of my application, when theyPOST /auth/google_oauth2
again to re-authenticate, I hit the token refresh flow withinomniauth-oauth2
: https://github.com/omniauth/omniauth-oauth2/blob/3a43234ab5dd36a75f9c125c58fcfe1a37b26805/lib/omniauth/strategies/oauth2.rb#L92This fails every time with
A refresh_token is not available
https://gitlab.com/oauth-xx/oauth2/-/blob/main/lib/oauth2/access_token.rb?ref_type=heads#L118This makes sense, since the
refresh_token
is supplied only on the first authorization call to Google. However, what I don't understand is how I'm supposed to handle this.I can only make this work if I edit the gemfiles and add to the existing code:
Configuration
Gemfile
:config/initializers/omniauth.rb
:routes.rb
index.html.erb
:Questions
So to my questions:
refresh_token
, but not how or where. How am I supposed to store and pass therefresh_token
to this gem?prompt: 'consent'
andaccess_type: 'offline'
together are supposed to be the only way to get arefresh_token
, but that doesn't influence whether this or underlying gems check for arefresh_token
once theaccess_token
is expired.expires_at
, orexpire_in
argument to the gem for shortening theaccess_token
expiration time for testing purposes?I've looked into this issue across the multiple
omniauth
gem dependencies, and this gem for 5+ days, and haven't gotten anywhere. Any feedback or answers would be deeply appreciated 🙏 ❤️The text was updated successfully, but these errors were encountered: