Obtaining refresh_token through offline_access scope to be used with IAP

Question

I am using IAP to protect a Web API Application. I have enabled a service account to get access to the APIs through an id_token. I am able to obtain an id_token (JWT) by signing a JWT (using the keys of my service account) with the following assertions

{
  "iss": "xx.iam.gserviceaccount.com",
  "sub": "xx.iam.gserviceaccount.com",
  "aud": "https://oauth2.googleapis.com/token",
  "target_audience": "my_application_client_id",
  "iat": 1598702078,
  "exp": 1598705593
}

and then Posting to the token service as follows

curl --location --request POST 'https://oauth2.googleapis.com/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'assertion=<JWT obtained at the previous step>’
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \
--data-urlencode 'scope=openid’

Now I would like to also obtain a refresh_token and has been impossible. I have tried with scope=openid offline_access but no luck. Is offline_access implemented in the Google Auth Server? Any other mechanism to obtain a refresh_token?

score 0 · Answer 1 · answered Sep 01 '20 at 18:51

0

According to the documentation here, for the OpenID server flow you would need to use access_type as parameter set to offline for it to work. There are more details here.

answered Sep 01 '20 at 18:51

Alexis

26
5

Obtaining refresh_token through offline_access scope to be used with IAP

1 Answers1