accessType=offline & approvalPrompt=force doesn't work in Chrome

[Liam-Williams]

When I call passport.authenticate for google, configured with the passport-google-oauth2 config, the Google OAuth confirmation screen is not forced in Chrome. It is forced in Safari. This is required to get the google refresh token on a users 2nd + time authenticating. Wondering if there is something we can do within the scope of this library to help force the prompt. Thanks!

[semoog]

Any updates on this? I also need the ability to re-generate my refresh token.

[sunknudsen]

The following comment by @cyan198 fixes this!

Short story: instead of approvalPrompt : 'force', use prompt : 'consent'

[Liam-Williams]

Amazing, thanks so much @sunknudsen, problem fixed 👍

[mandeepm91]

This doesn't work for me. Here is my config in passport. Tried with approvalPrompt: 'force' as well.

  google: {
    name: "Google oAuth2",
    protocol: 'oauth2',
    strategy: passportGoogle.Strategy,
    options: {
      accessType: 'offline',
      prompt : 'consent',
      clientID: 'masked',
      clientSecret: 'masked',
      callbackURL: 'http://localhost:8080/api/v3/auth/google/callback',
      scope: ['profile', 'email', 'https://www.googleapis.com/auth/youtube.readonly'],
    },
  },

[haydarai]

I also get the same issue as @mandeepm91

[natanbr]

+1 @haydarai @mandeepm91
Did someone solved it? @cyan198 @sunknudsen

[cyan198]

@natanbr
prompt : 'consent' still works for me all this time.

[natanbr]

@cyan198 can you please share the options and the callback signature you are using?
I tried all the options and I can't get the refresh token...
this is my options object:

   clientID: process.env.GoogleClientID,
    clientSecret: process.env.GoogleClientSecret,
    callbackURL: process.env.GoogleCallbackURL,
    accessType: 'offline',
    prompt: 'consent',
    scope: [
      'https://www.googleapis.com/auth/drive',
      'https://www.googleapis.com/auth/userinfo.profile',
      'profile',
      'https://www.googleapis.com/auth/plus.login',
      'https://www.googleapis.com/auth/userinfo.email'],
    passReqToCallback: true

[cyan198]

The only different is in the scope, mine looks like this
[
'email',
'https://www.googleapis.com/auth/adwords'
]

Of course the adwords is specific to my need. In my case I don't need any info other than email from the account. What error do u get?

[natanbr]

I didn't get an error, just undefined refresh token.
I found a solution see @damianobarbati code here
in general, passing the

    accessType: 'offline',
    prompt: 'consent',

with the connection URL, not as part of the strategy
Thanks!

[cyan198]

Glad to hear!

[benbonnet]

Took me quite a long time and spanned multiple discussions here; as of today the following do retrieve the refresh token :

const config = {
  clientID: process.env.GOOGLE_CLIENT_ID,
  clientSecret: process.env.GOOGLE_CLIENT_SECRET,
  callbackURL: "http://localhost:5000/auth/google/callback",
  scope: ['email']
};

const strategy = new GoogleStrategy(
  config,
  (accessToken, refreshToken, params, profile, cb) => {
    // do your stuff
    cb(null, …data);
  }
);

And the router :

router.get(
    "/auth/google",
    passport.authenticate(
      "google", {
        accessType: 'offline',
        prompt: 'consent'
      }
    )
  );

[ghulamhaider1]

I didn't get an error, just undefined refresh token. I found a solution see @damianobarbati code here in general, passing the

    accessType: 'offline',
    prompt: 'consent',

with the connection URL, not as part of the strategy Thanks!

This works but giving me error on typescript. looks like passport strategy constructor type has not type definition for these two.

[eldarc137]

@ghulamhaider1 did you find a way to make it work with the typescript strategy constructor?

[kikoanis]

I know this is a year old but you could extend AuthenticationOptions interface from passport to include the extra props. and pass it along to the authenticate method.

interface ExtendedAuthenticateOptions extends AuthenticateOptions {
    accessType?: string;
    authType?: string;
    includeGrantedScopes?: boolean;
}

const authOptions: ExtendedAuthenticateOptions = {
    authType: 'rerequest',
    accessType: 'offline',
    prompt: 'consent',
    includeGrantedScopes: true,
    scope: ['email', 'profile', 'openid']
};

const authGoogle = async (req: Request, res: Response): Promise<void> => {
    await passport.authenticate('google', authOptions)(req, res);
};

[rsahukrishworks]

i am able to get the refresh token

the refresh token is showing invalid when in try to get id_token from google apis using the refresh token

passport.use(new GoogleStarategy({
    clientID: process.env.GOOGLE_AUTH_CLIENTID,
    clientSecret: process.env.GOOGLE_AUTH_CLIENT_SECRET,
    callbackURL: uris.GOOGLE_CALLBACK_URL,
    passReqToCallback: true
}, async (req,accessToken, refreshToken, params, profile, cb) => {
    return cb(null, result)
}));

authRoutes.route('/login/google').get(passport.authenticate('google', { 
    scope: [" https://www.googleapis.com/auth/userinfo.profile", "https://www.googleapis.com/auth/userinfo.email"],
    approvalPrompt: 
    'force',accessType: 'offline'}));

the refresh token i have

{
  refreshToken: '1//0gdDoOs3m76H4CgYIARAAGBASNwF-L9Ireg13JT11xNWBNd1OLif5FAks9o36qZ50JSqCpBBIL7mOqk4btwgoqRa7mBmMtPrTAFQ'
}

how to get the id_token using refresh token after token expiry