4

We're working on a project that depends on PSA (0.2.1) for authentications with google oauth2 (offline). Somehow we lost some refresh tokens of some users, we want to force those users to RE-AUTHENTICATE so we can get new refresh token from google

we tried both :

  1. Diconnect those users using /diconnect/google-oauth2, we got a NotAllowedToDisconnect exception, even after removing social.pipeline.disconnect.allowed_to_disconnect from SOCIAL_AUTH_DISCONNECT_PIPELINE, we got no exception, but when the user re-authenticate, there is no refreh_token in google response
  2. add approval_prompt=force to 'account:social:begin' url, but it doesn't return the refresh_token

Any idea will be highly appreciated.

Update: We tried to use {% url 'account:social:begin' 'google-oauth2' %}?approval_prompt=force&next=/ to force the approval_prompt for certain users (with missing tokens), but its seem to have no effect over google oauth.

Thanks

Mo J. Mughrabi
  • 6,747
  • 16
  • 85
  • 143
elmkarami
  • 133
  • 1
  • 8

1 Answers1

5

Using this setting does the trick:

SOCIAL_AUTH_GOOGLE_OAUTH2_AUTH_EXTRA_ARGUMENTS = {
    'access_type': 'offline',
    'approval_prompt': 'force'
}

Use case example at http://psa.matiasaguirre.net/docs/use_cases.html#re-prompt-google-oauth2-users-to-refresh-the-refresh-token

omab
  • 3,721
  • 19
  • 23
  • Actually adding {'approval_prompt': 'force'} to ``SOCIAL_AUTH_GOOGLE_OAUTH2_AUTH_EXTRA_ARGUMENTS``, leads to that everytime an existing user wants to login, google will always asks him for offline access, we want only users who lost refresh_token to be asked for this – elmkarami Nov 07 '14 at 18:18
  • But you won't be able to know it until you identify the current user and it's association in the DB. – omab Nov 07 '14 at 20:32
  • You're right, So is there a trick to pass an extra param to PSA, which in its turn, passes this param to the provider an runtime ? that would be great – elmkarami Nov 07 '14 at 20:56
  • If you are able to identify the users that require that parameter, then you can set ``{'approval_prompt': 'auto'}`` and then call ``/login/google-oauth2?approval_prompt=force`` to override that value. Another option would be to use a custom pipeline that will check the lack of ``refresh_token`` and redirect the user to ``backend.auth_url() + "&approval_prompt=force"`` – omab Nov 08 '14 at 04:15
  • 1- by setting ``approval_prompt`` to ``auto`` and calling ``/login/google-oauth2?approval_prompt=force`` we got ``OAuth 2 parameters can only have a single value``. 2- I think we mentioned above that we already added ``{% url 'account:social:begin' 'google-oauth2' %}?approval_prompt=force``, in the template for those who lost their ``refresh_token`` which didn't return the refresh_token, but still we did what you asked, by redirecting users to ``backend.auth_url() + "&approval_prompt=force"`` which in its turn didn't return the ``refresh_token``, so the user got stuck in that page – elmkarami Nov 09 '14 at 22:32
  • 1
    1. You mean that by defining the setting in the answer but with ``'auto'`` instead of ``'force'`` and then sending the users to ``/login/google-oauth2/?approval_prompt=force`` you get that "OAuth2 parameters can only have single values"? Just tested, it works, maybe you got that message when doing ``backend.auth_url() + "&approval_prompt=force"`` – omab Nov 11 '14 at 11:10