Generate server auth code from macOS app

[thomzon]

Hi,

I have successfully setup the flow for a user to login to his Gmail account from my macOS app.
The issue is, it is not the app that will access the user's data, but a server. The app should just takes care of the Gmail login and generate a server authorisation code that can then be sent to the server.

Is there any way, similarly to the iOS Google SDK, to specify the client ID of the server, so that the authorisation code generated can be used by the server ?

Thanks.

[StevenEWright]

Fast response during triage: I believe the flow you're suggesting is explicitly not supported by the library because transferring tokens to your server this way is not considered best practice. I confess to not looking into your question very hard, and defer to @WilliamDenniss who can provide a canonical answer.

[ismeta]

because transferring tokens to your server this way is not considered best practice

Hm, is this true? I believe the flow @thomzon's referring to is this one: https://developers.google.com/identity/sign-in/ios/offline-access, where we get an auth code (serverAuthCode in the doc) that can then be passed to the server.

I'd also like for this library to support server-side (offline) access - I've a macOS app, so it looks like this library suits. However, we use offline access, so we'd like to pass an auth code to the server so it can get refresh + access tokens. This library doesn't seem to support it. (or maybe I'm not looking in the right places for it?)

[cocavo]

It seems that an auth code for the server can be obtained by applying additionalParameters.

let authRequest = OIDAuthorizationRequest(configuration: GTMAppAuthFetcherAuthorization.configurationForGoogle(),
                                          clientId: "CLIENT_ID",
                                          scopes: scopes,
                                          redirectURL: redirectURL,
                                          responseType: OIDResponseTypeCode,
                                          additionalParameters: ["audience": "SERVER_CLIENT_ID"])
        OIDAuthState.authState(byPresenting: authRequest,
                               presenting:   presenting) { (state, error) in
                                let serverAuthCode = state?.lastTokenResponse?.additionalParameters?["server_code"] as? String
        }

[StevenEWright]

Closing this since it looks like it has been answered. Thanks @cocavo

[girishw]

@cocavo Setting the audience parameter does get the server_code. However, exchanging the code for tokens on the server results in an invalid_grant/Bad request error. Is there any else we need to do?

[petea]

Make sure that the client ID you're using on the server is defined as an OAuth 2.0 Client ID of "Web application" type in the Credentials page of Google Cloud Console and that it is in the same project as the "iOS" type client ID that your app is using.