0

I'm currently discovering OAuth identification on a nodejs server in order to test it with queries on the api youtube.

For now, it works, I can make the requests. There are only two things I have a problem with.

First, every time I log in, Google asks for permission even though it has already been granted (and the permission is visible in the allowed applications on my account).

According to this answer "login with google always asks user consent", this should not happen, despite the fact that I work locally.

My second question may help me answer the first. When I studied the OAuth, I learned about the existence of the refresher token, which is supposed to allow the creation of a new access token when it has expired.

I just can't figure out if it's up to me to use the refresh token or if the library does it by itself when making requests?

I based myself on: https://developers.google.com/youtube/v3/quickstart/nodejs

Each session is associated with an OAuth2Client containing tokens and all client information

[Current situation]

Refresh token is handle by the library as Rubén shown here. Still no answer about the prompt everytime.

Neok
  • 680
  • 1
  • 9
  • 22

1 Answers1

0

Following that quickstart, when you go through authorization you are calling getToken:

oauth2Client.getToken(code, function(err, token) {
   if (err) {
      console.log('Error while trying to retrieve access token', err);
      return;
   }
   oauth2Client.credentials = token;
   storeToken(token);
   callback(oauth2Client);
});

The token object response contains an access_token and the refresh_token. The refresh_token is only returned the first time you log in (you can get new ones if token expires) and you need to store it in order to generate new access tokens.

As you can also see in the example, in authorize function you need to check if you have previously stored your tokens.

Then, to use the refresh_token you need to call:

oauth2Client.setCredentials({
   refresh_token: YOUR_STORED_REFRESH_TOKEN
});

After setting credentials with refresh_token, access_token is automatically updated and you can use your oauth2client to make requests again.

I hope it's clear!

Reference: https://developers.google.com/identity/protocols/OAuth2WebServer#offline

Ruben Lopez
  • 704
  • 7
  • 18
  • thanks, but refreshAccessToken has been deprecated lately which make me think that it's now done automatically ? And do you think this can help with the prompt or only for long time session token (> 1 hour). – Neok Aug 28 '18 at 08:45
  • 1
    You're right, it seems it's done automatically, [as explained here](https://github.com/google/google-api-nodejs-client#handling-refresh-tokens). I believe you need to handle when to show the prompt, if users have already logged in, you need to check if their refresh tokens are stored and if you can generate access tokens with them. Once you check that, it means users are authenticated and you can make requests. – Ruben Lopez Aug 28 '18 at 09:04
  • Alright, in case the user is really disconnected / forgotten for the server, but still in applications allowed on the google account: the reconnection should not display the authorization request but redirect to the redirect_url directly isn't it? – Neok Aug 28 '18 at 09:46
  • Right, if users have given their consent to use the application, redirection shouldn't display the prompt and should continue with the execution – Ruben Lopez Aug 28 '18 at 09:53
  • I would look further in that problem now that I know better about the refreshment. – Neok Aug 28 '18 at 09:55
  • Great! Good luck! – Ruben Lopez Aug 28 '18 at 10:10