google oauth2 id_token vs refresh_token

Question

I'm trying to use Google OAuth2 to get user's contact info. I'm not struggling with getting accesses, I am wondering that for some reason I've stopped getting refresh_token instead I get id_token (long JWT string). I use python urllib to retrieve access information for users. My code is:

scope = 'https://accounts.google.com/o/oauth2/token'
params = urllib.urlencode({
    'code': request.GET['code'],
    'redirect_uri': settings.SOCIAL_AUTH_GOOGLE_REDIRECT_URI,
    'client_id': settings.SOCIAL_AUTH_GOOGLE_OAUTH2_KEY,
    'client_secret': settings.SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET,
    'grant_type': 'authorization_code',
})

Response:

{u'access_token': u'hash',
 u'token_type': u'Bearer', 
 u'expires_in': 3600,
 u'id_token': u'really long hash'}

I use contacts scope https://www.google.com/m8/feeds/contacts/default/full?alt=json When I'm trying to add to params access_type : offline I get the error below:

Failed to retrive access_token. Status: 400
Message: {
  "error" : "invalid_request",
  "error_description" : "Parameter not allowed for this message type: access_type"
}

So after that I am wondering:

Can I use id_token refresh my access_token ?
If first is True: How ?
Are there any differences between types of users who are getting authenticated, because I noticed that sometimes you get refresh_token, but I need to get it permanently, next time I make a OAuth2 flow I get id_token

score 3 · Answer 1 · answered May 25 '22 at 15:50

3

I'm sure I'm far too late to help here, but I ran into the same issue so hopefully this will help others.

Google ONLY provides the refresh_token on the first authorization. If the account has already allowed access, the refresh_token will not be provided again. Try revoking access to the app from your google account, then re-authorizing. You will then receive the refresh_token.

answered May 25 '22 at 15:50

Jason Ross

87
7

1

Thanks! That was helpful. Access can be revoked under https://myaccount.google.com/permissions – Martynas Jusevičius Jun 24 '22 at 23:16

score 0 · Answer 2 · answered Mar 30 '16 at 09:35

If you need a refresh token, you better add access_type=offline and approval_prompt=force onto https://accounts.google.com/o/oauth2/auth?

var url = 'https://accounts.google.com/o/oauth2/auth?' +
          'client_id=' + CLIENT_ID + '&' +
          'response_type=code&access_type=offline&approval_prompt=force&' +
          'redirect_uri=' + encodeURIComponent(REDIRECT_URL) +
          '&scope=' + SCOPES;

Then the returned code will always give you a refresh code in the next handshake with https://www.googleapis.com/oauth2/v4/token

google oauth2 id_token vs refresh_token

2 Answers2