Is authorisation code without popup possible? (using redirect)

[Jeevsxp]

The only way I can see to get an authorisation code to sent to my back-end is to call the 'grantOfflineAccess' method.

Is there anyway to call this in redirect mode and/or have it be included with the initial sign in flow?

[TMSCH]

Hi @Jeevsxp, this is not possible to obtain an authorization code without popup. This is a security restriction: an offline code will allow you to obtain a refresh_token in the server, that gives you the possibility to obtain a fresh access_token anytime you want. For that, the user needs explicit consent.

However, we are working on a feature where you could obtain a code, without popup, that you would be able to exchange in the backend, but only for an access_token. Would that work in your use case?

[Jeevsxp]

Hi @TMSCH, in this case I would need to be able to use the code to get a refresh_token as well as an access_token.

I'm all for explicit consent, but could that not be included in the initial sign in flow (popup or redirect), without requiring an additional consent step.

Thank you for your response here as well. I'm assuming from this that, this is what you have in mind

[TMSCH]

@Jeevsxp the library will soon support a way of requesting code, token, and id_token in the same request, so in one popup consent. However, it won't be possible using redirect for now.

I will keep this thread updated when it is available!

[Jeevsxp]

@TMSCH ok, thank you

[TMSCH]

Hi @Jeevsxp, you can now request a code as well as the token and id_token using the newly released feature: https://developers.google.com/identity/sign-in/web/reference#advanced

gapi.auth2.authorize({
  client_id: <CLIENT_ID>,
  scope: <SCOPES>,
  response_type: 'code token id_token'
}, function(result) {
  if (error) {
    // An error happened.
   return;
  }
  let accessToken = result.access_token;
  let idToken = result.id_token;
  let code = result.code;
});

Note that, compared to the init/signIn scenario, the library won't automatically refresh the access_token in the client for any authenticated calls you would make with gapi.client. You would have to call it again with the prompt: 'none' option to refresh the token.

[Jeevsxp]

To confirm, this is only using a popup? Are there any plans to allow redirect in the future?

[TMSCH]

For now, only popup is supported. Redirect is tricky to handle in this use case: contrary to gapi.auth2.init/signIn, where redirect mode is available, there is no "initialization" phase where the redirect result could be handled. We are working on a solution but this is less clean and easy for the developers to use.

[HZooly]

Any news ?

[TMSCH]

@torzuoliH it is on our roadmap but I can't give any ETA at that time.

[NinnOgTonic]

To remedy this situration, would it perhaps at least be possible to put this vital information in the documentation around ux_mode? And / or in the documentation around the grantOfflineAccess API For example found at:

https://developers.google.com/identity/sign-in/web/reference

[TMSCH]

@NinnOgTonic the ux_mode param is not included in the OfflineAccessOptions nor AuthorizeConfig, however we can make it more clear it doesn't work in these methods.

[troy-lamerton]

@TMSCH Please add the documentation. I just found this thread after spending about an hour trying to solve why the ux_mode: 'redirect' was not working.

[TMSCH]

@troy-lamerton I'm sorry this happened. The documentation does not mention ux_mode: 'redirect' for grantOfflineAccess but I'll make it more clear in the doc.

[NinnOgTonic]

I would suggest documenting some examples of consuming the api in different contexts, and mentioning it in this context perhaps that for the offline you are not able to use ux_mode? Alternatively, split up the pages for the normal and offline access so they dont occur in the same "context"?