The issuance of a refresh token with the client credential grant has no benefit. That is why the RFC6749 section 4.4.3 indicates A refresh token SHOULD NOT be included. Thus its issuance is at the discretion of the authorization server. From my point of view an authorization server should never issue a refresh token with … Read more
To summarize your situation: You have your own backend (server of some kind, such as a web application implementing a REST API) where users should be able to login using a username and password to obtain an access token giving their access to their own resources on the server, and they should be able to … Read more
the Implicit Grant flow is done for java script clients and I think they are using ‘#’ instead of ‘?’ to not send the access token to server side of your redirect URL but it is still reach to javascript which is the client in our case may be for security reason “not sharing your … Read more
Give us a little more code, or check the call to gapi.auth.authorize() Check that you are using the correct scope to obtain the OAuth token. Scope should be https://www.googleapis.com/auth/drive Double-Check the scope declaration: https://developers.google.com/accounts/docs/OAuth2Login#sendauthrequest Check the call to gapi.auth.authorize() window.gapi.auth.authorize( { ‘client_id’: clientId, ‘scope’: scope, ‘immediate’: false }, handleAuthResult); from: https://developers.google.com/picker/docs/#hiworld Without an actual code … Read more
This prompt could come because of two parameters, access_type (if it is ‘offline’) approval_prompt (if it is ‘force’) make sure you have set access_type to ‘online’ and apporoval_prompt to ‘auto’ $client->setAccessType(‘online’); $client->setApprovalPrompt(‘auto’) ;
It seems that Google finally ditched the unnecessary client_secret for installable applications and is not yet up-to-date with their documentation. You should check if you already get an access_token in the initial OAuth request like it’s handled on Facebook. Another possibility would be to fall back to using a Simple API Access key. Update: First … Read more
Google OAuth 2 Refresh Token is Missing for Web App but Present for localhost
There are a lot of misunderstandings about both cookies and refresh tokens and OAuth2. First, it is not true that only confidential clients can use a refresh token. The OAuth2 protocol says that confidential clients must authenticate, but does not require confidential clients. Ergo, client authentication is optional on the refresh operation. See RFC 6749, … Read more
Seems like best thing to do is to just always have userId=”me” in your requests. That tells the API to just use the authenticated user’s mailbox–no need to rely on email addresses.
The expires_in is value in seconds. See this section of the specification.