Refresh token not being returned from Google

[rmunn]

While trying to figure out why my Google OAuth sessions were expiring after one hour, I found c08c83c which has a comment about refresh tokens not being returned despite Google's documentation saying that they should be returned. That led me to find https://stackoverflow.com/a/65702100 where it's mentioned that for an app such as mailctl, you only get a refresh token immediately after the user has clicked "Allow" on the consent screen.

I ran mailctl authorize google my_email@gmail.com --debug and found that it was true: Google didn't show me a consent screen because mailctl was already authorized on my account, and the JSON returned from Google's OAuth endpoints did not contain a refresh_token.

The best solution, I think, would be to add a --force-refresh-token command-line parameter to the authorize command. If present, that parameter would add the prompt=consent (and, if needed, access_type=offline) parameters to the initial accounts.google.com/o/oauth2/token POST URL, to ensure that even if the user has already authorized the mailctl app, that Google will re-show the authorization screen and therefore mailctl will receive a refresh token.

[pdobsan]

On Sat, Jan 27, 2024 at 10:24:05PM -0800, Robin Munn wrote: While trying to figure out why my Google OAuth sessions were expiring after one hour, I found c08c83c which has a comment about refresh tokens not being returned despite Google's documentation saying that they should be returned. That led

This comment refers to the process of *renewal* of the access token. The refresh token is returned only once during the *authorization* step.

command-line parameter to the `authorize` command. If present, that parameter would add the `prompt=consent` (and, if needed,

The prompt parameter is already given for the authorization step.