Identity Toolkit for Websites v3 add access_type=offline to continue param value?

Question

Identity Toolkit for Websites v3 provides authorization code signInSuccess callback tokenString argument.

Though //www.gstatic.com/authtoolkit/js/gitkit.js is obfuscate and undocumented, I found .gstatic.com/authtoolkit/js/gitkit-debug.js Which should help, but am still curious if there is a better way or if I'm missing something.

The problem is I cannot find a way to set parameter access_type=offline so I can't get a refresh token, so using Google API Client Library for Java, post login with idp google.com doesn't seem to be an option. I can't use it with the federated login solution offerred. I need to implement the google provider oauth flow separately ... I can't believe that I must be missing something here.

What is the point of providing access to the authorization code in the url # if I can't use it to access other google api's.

In any case back in 2012 someone had the same issue an a solution was provided for v1 seen in [this][2] forum discussion.

The response starts with "Different IdP has different ways to get a refresh token, i.e., for Microsoft, a "wl.offline_access" scope is required; for Google, an "access_type=offline" URL parameter is required. Currently GITKit hasn't yet had a normalized way to do it, but we're looking into it."

If they were looking into it in 2012 surely there is some sort of approach ... in any case my requirement is currently is just to access google api's.

So comparing the flow of google oauth playground where you can select access_type=offline and the account chooser url continue ... looks like this

 https://accounts.google.com/AccountChooser?continue=https://accounts.google.com/o/oauth2/auth?
access_type=offline
&approval_prompt=force
&scope=https://www.googleapis.com/auth/cloudprint+https://www.googleapis.com/auth/userinfo.profile
&response_type=code
&redirect_uri=https://developers.google.com/oauthplayground
&client_id=407408718192.apps.googleusercontent.com
&hl=en-GB
&from_login=1
&as=5cc2df3c88f13395
&ltmpl=popup
&btmpl=authsub
&hl=en_GB
&scc=1
&oauth=1

Where you can see the access_type paramater. I added some extra config properties to gitkit-debug.js in all the right places and then traced execution stepping into functions until the POST was sent, even through my new parameters are in the data all the way up until it is sent I get a url which doesn't include them

screeenshot of debug console showing data object state just before POST

My resulting url continue parameter looks like this

https://accounts.google.com/AccountChooser?continue=https://accounts.google.com/o/oauth2/auth?
scope=https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/cloudprint+https://www.googleapis.com/auth/userinfo.profile+openid
&response_type=token+code+id_token+gsession
&redirect_uri=http://localhost:8080/identity/control/authenticate
&state=AFD_5tmV........... etc
&client_id=143312559437-4o93ranlfalg78rj006qirib182bnkj4.apps.googleusercontent.com
&include_profile=true
&hl=en-GB
&from_login=1
&as=77237587f41849c5
&ltmpl=popup
&btmpl=authsub
&hl=en_GB
&scc=1
&oauth=1

Why and how is access_type=offline removed ?

Answer 1

gitkit.widget.handler.onProviderSignInIdpClick_ = function(app, component, idp) {
  //null values are removed later in requestGitkitEndpoint
  //not sure if extra paramaters are needed in the Request
  var request = {
    providerId: idp.getProviderId(),
    continueUri: app.getConfig().getIdpCallbackUrl(),
    oauthScope: app.getConfig().getIdpConfigAdditionalScopes(),
    access_type: app.getConfig().getAccessType(),
    approval_prompt: app.getConfig().getApprovalPrompt()
  };
  //the request is then parsed into the executor within component.executeRequest
  component.executeRequest(
    //executor
    goog.bind(app.getApi().createAuthUri, app.getApi()),
    //request
    request,
    //cb
    function(resp) {
      if (!resp || gitkit.api.hasError(resp)) {
        (gitkit.log.error("createAuthUri: " + goog.json.serialize(resp)), component.showInfoBar(gitkit.widget.handler.common.getErrorMessage(gitkit.api.getErrorCode(resp))))
      } else {
        if(resp.providerId === 'google.com'){
          var append = null;
          if (goog.isDefAndNotNull(app.getConfig().getAccessType())) {
            var paramValue = goog.string.urlEncode(app.getConfig().getAccessType());
            append = "&access_type=" + paramValue;
          }
          if (goog.isDefAndNotNull(app.getConfig().getApprovalPrompt())) {
            var paramValue = goog.string.urlEncode(app.getConfig().getApprovalPrompt());
            if(append) append = append.concat("&approval_prompt=" + paramValue);
            else append = "&approval_prompt=" + paramValue
          }
          if(append){
            resp.authUri = resp.authUri.concat(append);
          }
        }
        resp.sessionId && gitkit.storage.setSessionId(resp.sessionId, app.getAppId()),
          gitkit.storage.setRememberAccount(!1, app.getAppId()),
          gitkit.util.goTo(goog.asserts.assert(resp.authUri));
      }
    });
};