Is authorisation code without popup possible? (using redirect)

[Jeevsxp]

The only way I can see to get an authorisation code to sent to my back-end is to call the 'grantOfflineAccess' method.

Is there anyway to call this in redirect mode and/or have it be included with the initial sign in flow?

[TMSCH]

Hi @Jeevsxp, this is not possible to obtain an authorization code without popup. This is a security restriction: an offline code will allow you to obtain a refresh_token in the server, that gives you the possibility to obtain a fresh access_token anytime you want. For that, the user needs explicit consent.

However, we are working on a feature where you could obtain a code, without popup, that you would be able to exchange in the backend, but only for an access_token. Would that work in your use case?

[Jeevsxp]

Hi @TMSCH, in this case I would need to be able to use the code to get a refresh_token as well as an access_token.

I'm all for explicit consent, but could that not be included in the initial sign in flow (popup or redirect), without requiring an additional consent step.

Thank you for your response here as well. I'm assuming from this that, this is what you have in mind

[TMSCH]

@Jeevsxp the library will soon support a way of requesting code, token, and id_token in the same request, so in one popup consent. However, it won't be possible using redirect for now.

I will keep this thread updated when it is available!

[Jeevsxp]

@TMSCH ok, thank you

[TMSCH]

Hi @Jeevsxp, you can now request a code as well as the token and id_token using the newly released feature: https://developers.google.com/identity/sign-in/web/reference#advanced

gapi.auth2.authorize({
  client_id: <CLIENT_ID>,
  scope: <SCOPES>,
  response_type: 'code token id_token'
}, function(result) {
  if (error) {
    // An error happened.
   return;
  }
  let accessToken = result.access_token;
  let idToken = result.id_token;
  let code = result.code;
});

Note that, compared to the init/signIn scenario, the library won't automatically refresh the access_token in the client for any authenticated calls you would make with gapi.client. You would have to call it again with the prompt: 'none' option to refresh the token.

[Jeevsxp]

To confirm, this is only using a popup? Are there any plans to allow redirect in the future?

[TMSCH]

For now, only popup is supported. Redirect is tricky to handle in this use case: contrary to gapi.auth2.init/signIn, where redirect mode is available, there is no "initialization" phase where the redirect result could be handled. We are working on a solution but this is less clean and easy for the developers to use.

[HZooly]

Any news ?

[TMSCH]

@torzuoliH it is on our roadmap but I can't give any ETA at that time.

[NinnOgTonic]

To remedy this situration, would it perhaps at least be possible to put this vital information in the documentation around ux_mode? And / or in the documentation around the grantOfflineAccess API For example found at:

https://developers.google.com/identity/sign-in/web/reference

[TMSCH]

@NinnOgTonic the ux_mode param is not included in the OfflineAccessOptions nor AuthorizeConfig, however we can make it more clear it doesn't work in these methods.

[troy-lamerton]

@TMSCH Please add the documentation. I just found this thread after spending about an hour trying to solve why the ux_mode: 'redirect' was not working.

[TMSCH]

@troy-lamerton I'm sorry this happened. The documentation does not mention ux_mode: 'redirect' for grantOfflineAccess but I'll make it more clear in the doc.

[NinnOgTonic]

I would suggest documenting some examples of consuming the api in different contexts, and mentioning it in this context perhaps that for the offline you are not able to use ux_mode? Alternatively, split up the pages for the normal and offline access so they dont occur in the same "context"?

[TMSCH]

@NinnOgTonic thanks for the suggestion, are you mentioning splitting the Reference doc?

I think it's a good idea to add examples of using ux_mode, and add a warning that grantOfflineAccess doesn't support it.

[NinnOgTonic]

Yes, not sure if it will be less accessible that way, but my thought was that, if possible split the like you would split the would be examples, but maybe this is less feasible?

[NinnOgTonic]

But my though from a consumer perspective is just i want a simple Hello World app that shows that in case X i want to use Offline Mode, which does not support ux_mode and then in case Y i want to use the other mode.

[mesqueeb]

Just want to chip in I'd also love to have the redirect function with gapi.auth2.authorize.
I'm not sure if this is the correct thread for that though. :s

I'm having trouble when a user grants access on a mobile device, a new tab is opened, but the original tab isn't recognising the user authorised something.
How can I notify the original tab of this?

[mike-seekwell]

@TMSCH Is there any update here? What is the "recommended" way to implement Google Sign?

I've consistently run into issues using the client side library (e.g. see #473), is the only reliable way to do this server-side? Just looking for some guidance from Google on how to implement sign in without constantly having to re-implement it.

[mike-seekwell]

@grant @TMSCH Was there a recent change (last 3 days or so) that would have caused ux_mode : popup to break when used from a <webview> (Electron)? This had been working fine for me for almost a year now and suddenly broke in the last few days.

I'm commenting here, because ux_mode : redirect is still working, however I also need grantOfflineAccess (which clearly isn't supported yet.

[mike-seekwell]

In case anyone else runs into this, clearing the cache (see below) before any request seems to be a workaround, but I definitely did not have to do this before.

    win.webContents.session.clearCache(function () {});
    win.webContents.session.clearAuthCache({
        type: 'password'
    });```

[SamuelIrungu]

grantOfflineAccess without redirect is just needed in my app, Microsoft Edge which my app should support detects the Google auth popup and blocks it, any news or recommendation for allowing authorisation code and still have a redirect flow @TMSCH @bwobrien

[naveenkumarmark]

@TMSCH
HI I am using this below code to have google sign-in in my app without popup.
But still it shows popup, I do not want the pop up to signin .
I just want to have the normal sign in without any popup.
What i am missing here?
Can you help me out to figure it?

gapi.auth2.authorize({ clientId: process.env.VUE_APP_CLIENT_ID, scope: 'email profile openid', discoveryDocs: ['https://people.googleapis.com/$discovery/rest'], response_type: 'code token id_token', ux_mode: 'redirect', }, function(result) { // if (error) { // // An error happened. // return; // } let accessToken = result.access_token; let idToken = result.id_token; let code = result.code; console.log(result) });

[automaticalldramatic]

It is the future now, the year 2020, humans are still alive and Safari, Edge, Mozilla have started blocking popups for humans to login. This causes issues for applications humans are building that need offline access. Issue #288 is still an issue for humans using Google Auth api.

In this desolate world, one could only hope this gets resolved.

[Tyngstast]

I feel like being able to use authorize och mobile devices is pretty vital... Is there any update on this issue? @TMSCH

EDIT: typo

[imvenky]

Is there any update on this issue? @TMSCH

[VikalpP]

Looks like grantOfflineAccess is internally supports redirect_uri, but isn't exposed officially.
Are there any plans to expose this option officially?

[daveteu]

the only reason I'm checking up on this is because Google's very own Chrome does not allow popup for Google API JS Client in icognito mode.

[VikalpP]

Guys, you can pass redirect_uri as an option to grantOfflineAccess, which will redirect the user instead of using popup.

As said in PR threads multiple times it's just not documented properly. 🤷‍♂️🙂

[MJoon-Jung]

I don't know what should i do.
Is there any solution?

[pags]

When using redirect_uri as suggested above, there are still two issues:

1. The code is passed in the redirect_uri via a hash, which obviously will not be sent to a back-end server. Is there some way to trigger the code to be included in a query parameter? Setting response_type to code doesn't seem to help.
2. The redirect_uri is literally a redirect, so any sensitive information included (code) will be stuck in browser history. Is there some way to have the redirect_uri be invoked via XHR/fetch?