0

I've set up an OAuth consent screen for my app with user type external and myself as test user. I then set up an OAuth 2.0 Client ID for a web application. When I download the resulting JSON from here, it includes the following object, but no refresh_token. Why is that?

{
  "web": {
    "client_id": "...",
    "project_id": "...",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    "client_secret": "...",
    "redirect_uris": [
      "http://localhost/"
    ]
  }
}

I can't find it in the docs:

Harm
  • 590
  • 3
  • 21
  • Maybe duplicate? https://stackoverflow.com/questions/70119129/refresh-token-gcp/70119227#70119227 – Jake Nelson Jan 20 '22 at 07:14
  • @JakeNelson My original question was answered in one of the comments there, thanks. Since the original questions are different, I think they're not duplicates though – Harm Jan 20 '22 at 07:31

2 Answers2

3

The client secrets file identifies the OAuth Identity Provider. The refresh token is generated from the user's identity during the authentication (OAuth Flow). Think of it as two types of secrets: the provider and the user.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
1

The original question—"Why doesn't the credentials.json I download from Google Cloud Platform include a refresh_token?"—was answered in a comment in the question Jake Nelson linked:

The Refresh Token is associated with the identity that authenticated and is not part of the client secret credentials.

And my underlying problem of not having the refresh_token was solved like this:

  • My user type in the consent screen used to be internal, but I changed it to external following the docs
  • After changing that, I had to force the API to ask me for consent again by adding prompt='consent' to my flow.run_local_server call (source)
Harm
  • 590
  • 3
  • 21