15

I'm developing an app that accesses Google APIs (starting with Calendar API) using OAuth2 and the google client libraries for that (is on Appengine and GWT BTW).

I have implemented my OAuth2Call back servlet, extending the Google AbstractAppEngineAuthorizationCodeCallbackServlet.

I have it working, I get access and can look at calendars etc, but have two problems:

1) I do not get a refresh token, despite explicitly requesting offline access:

public static GoogleAuthorizationCodeFlow newFlow( String scope ) throws IOException {
    GoogleAuthorizationCodeFlow.Builder builder = new GoogleAuthorizationCodeFlow.Builder(
            HTTP_TRANSPORT, 
            JSON_FACTORY,
            getClientSecrets(), 
            Collections.singleton( scope ) );

    builder.setCredentialStore( new AppEngineCredentialStore() ).setAccessType("offline");

    return builder.build();
}

2) I cannot see how to set the automatic refresh functionality. These pages describe the methods:

But I can't see where to add the refresh listener. There is no such method in the GoogleAuthorizationCodeFlow.Builder class, unlike the Credential.Builder class

EDIT After debugging the code more, when the credential comes back (in the onSuccess() method) it seems to have a RefreshListener set already.....so maybe that's their by default, and my only problem is I'm not getting a refresh_token, despite asking for it.

Maybe need to review settings in the Google API Console also?

t3chb0t
  • 16,340
  • 13
  • 78
  • 118
Andrew Mackenzie
  • 5,477
  • 5
  • 48
  • 70

3 Answers3

22

One thing you should be careful about: a refresh token is returned (in addition to the access token) only when the user gives consent explicitly for the requested scopes. Basically, when the approval page is shown. All subsequent flows will only return an access token.

Now, in order to test your application and make sure you receive the refresh token the first time around, you could use the approval_prompt=force parameter (builder.setApprovalPrompt("force")) to make sure the approval page is shown in the flow and you obtain explicit consent from the user. After you sort out any issues and make sure the refresh tokens are stored properly, you can remove that flag (the default is auto)

More information is also available in the offline access section in the developer guide.

vlatko
  • 3,234
  • 1
  • 18
  • 11
  • Thanks for the comment, I'll check along these lines. At the moment, I do an explicit revoke of the token, and then request it again and I always go through the explicit accept screen for the user - but still don't get a refresh_token. – Andrew Mackenzie Dec 10 '12 at 19:31
  • 1
    vlatko, I was doing everything you said *except* the prompt force, and that seems to have fixed it! So, your answer was much appreciated! Is this a bug, or just a glaring omission from the (too extensive...) documentation? – Andrew Mackenzie Jan 05 '13 at 11:07
8

To get the refresh token you have to set both accessType = "offline" and approvalPrompt = "force".

GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow.Builder(
            HTTP_TRANSPORT,
            JSON_FACTORY,
            CLIENT_ID,
            CLIENT_SECRET,  
            SCOPE)
.setAccessType("offline")
.setApprovalPrompt("force")
.build();
informatik01
  • 16,038
  • 10
  • 74
  • 104
Alexandra
  • 81
  • 1
  • 1
  • Ok, thank you for this! The .setApprovalPrompt(..) must be a relatively new requirement. I had my code working about a month or two ago without this option and it was giving me refresh tokens. All of a sudden it had stopped working and I was left to wonder why. – ThaDon Mar 22 '14 at 01:18
0

I looked into this, and concluded that the access_token only needs to be used once. That is, every Google query is a two step process:

  1. Use the refresh_token to generate a temporary access_token
  2. Use the access_token for the one or more queries necessary for your operation.

I've seen a couple posts here about ensuring that the server clock is synchronized. But that seems like unnecessary complexity.

For a more detailed explanation: http://www.tqis.com/eloquency/googlecalendar.htm

Sunny Jim
  • 585
  • 5
  • 13
  • Thanks Sunny. But the problem was that on the first authorization I was getting the AccessToken, but NOT the RefreshToken, despite asking for it by setting the AccessType to "offline". If you use the Google classes (once you have a RefreshToken) they they will store it and use it to automatically get a new AccessToken when it expires, all transparently to you. – Andrew Mackenzie Jan 07 '13 at 12:29