Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(oauth2): support access_type=offline to enable refresh tokens from google #303

Merged
merged 6 commits into from Jun 13, 2019

Conversation

elson
Copy link
Contributor

@elson elson commented Feb 9, 2019

Added support for access_type=offline, required by Google Oauth code exchange authorization flow to get refresh token on first login.

See https://developers.google.com/identity/protocols/OpenIDConnect#refresh-tokens

I set the default value for access-type to 'online', as this is the normal case when not doing a code exchange.

@farnabaz
Copy link
Member

farnabaz commented Feb 9, 2019

Hi
I think it would be better to place the documentation link above access_type declaration line for better understanding

const DEFAULTS = {
  // @see: https://developers.google.com/identity/protocols/OpenIDConnect#refresh-tokens
  access_type: 'online',
}

Also please add access_token in oauth2 docs here

@elson
Copy link
Contributor Author

elson commented Feb 10, 2019

Hi,

Sure, I have done that and also included docs for access_token_endpoint which was pre-existing in the code , but required for code authorization and undocumented.

Thanks
Steve

@elson
Copy link
Contributor Author

elson commented Feb 10, 2019

I should add that I have not tested the impact of these changes on non-Google oauth applications.

@cainaf
Copy link

cainaf commented Mar 7, 2019

Awesome! I'm also in need of offline access. This merge will be very welcome.

@DevBrent
Copy link

DevBrent commented Mar 20, 2019

This introduces explicit vulnerabilities that are against the Google TOS. Do not use this. Refresh tokens can not be safely handled on the client-side.

@gahabeen
Copy link

gahabeen commented Apr 19, 2019

@elson Did you successfuly managed to make it work? (get the refresh_token on login) :)

@elson
Copy link
Contributor Author

elson commented May 18, 2019

@DevBrent I just saw your comment, thanks for raising this I did not realise there could be a problem.

As far as I can tell, this change does not introduce any vulnerabilities - the refresh token is received on the server side during the code exchange performed by the access_token_endpoint, and does not need to be (should not be?) returned to the client at all.

However, you do need to set the access_type option when initiating the flow if you want to receive a refresh token during the code exchange. This is as per Google's documentation, as I understand it.

https://developers.google.com/identity/protocols/OAuth2WebServer#offline

Could you provide some more details regarding the violation of Google's TOS, and/or relevant documentation links?

@gahabeen - Yes, with this change I have been receiving refresh tokens successfully.

@@ -14,6 +14,7 @@ auth: {
authorization_endpoint: 'https://accounts.google.com/o/oauth2/auth',
userinfo_endpoint: 'https://www.googleapis.com/oauth2/v3/userinfo',
scope: ['openid', 'profile', 'email'],
access_type: 'online',
Copy link
Member

@pi0 pi0 May 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't better to leave default undefined? Making usage optional.

Copy link
Contributor Author

@elson elson May 25, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I think that would be ok

Copy link
Contributor Author

@elson elson Jun 11, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, are there any further thoughts on this? It would be great if it could be merged as I am keen to upgrade my version of the module to benefit from other recent improvements.

In my opinion the concerns raised by @DevBrent are important but ultimately it is down to the developer to ensure their server side authorisation step handles the refresh tokens responsibly. Nuxt auth has support for refresh tokens generally, so why not support Google refresh token generation as well?

Copy link
Member

@pi0 pi0 Jun 12, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than making it optional PR looks fine for merge

Copy link
Contributor Author

@elson elson Jun 12, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok done (pardon the omitted word in the commit message)

Copy link
Contributor Author

@elson elson Jun 12, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whoops, I think you meant to actually update the code, not just the docs.
Not sure why the tests are failing, but all steps fail when I try to run the locally, i.e. different failures to those in circleci.

@pi0 pi0 added the discussion label May 23, 2019
@pi0 pi0 removed the discussion label Jun 13, 2019
@pi0 pi0 changed the title Support access_type=offline to enable refresh_tokens from Google feat(oauth2): Support access_type=offline to enable refresh_tokens from Google Jun 13, 2019
@pi0 pi0 changed the title feat(oauth2): Support access_type=offline to enable refresh_tokens from Google feat(oauth2): support access_type=offline to enable refresh tokens from google Jun 13, 2019
@pi0 pi0 merged commit 9553f5c into nuxt-community:dev Jun 13, 2019
@pi0
Copy link
Member

pi0 commented Jun 13, 2019

Added in 4.7.0: https://github.com/nuxt-community/auth-module/releases/tag/v4.7.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

6 participants