0

I'm developing an angularjs web app.

To access server side api, I need to add an id_token header and I receive an id_token, by using https://accounts.google.com/o/oauth2/auth endpoint.

The crux of the matter is this - the id_token has an expiration date. Before accessing server API, I need to make sure the id_token is not expired yet, but if it is, the obvious choice would be to refresh it.

Is there any way I can refresh the id_token?

I know I could change access_type to offline, and receive a refresh_token, but it does seem pretty weird to ask for an offline access, when basically in my case user interacts with the server only at the moment when he actually using the web app online.

pinoyyid
  • 21,499
  • 14
  • 64
  • 115
Elias
  • 698
  • 8
  • 23
  • I don't think you need to refresh the id token. Your app can manage its own session once you have the claims you need from the id token. See http://stackoverflow.com/questions/25686484/what-is-intent-of-id-token-expiry-time-in-openid-connect – sdoxsee Sep 04 '16 at 10:40

2 Answers2

1

Forget all about refresh tokens and offline access. This method is only applicable for server and desktop apps. To have a refresh token present in the browser would be a massive security hole.

If you read the docs for the Google JS OAuth library, you'll see that it's easy to get a new access token once the current one expires. See gapi.auth.authorize() and note the comment for immediate=true. NB this method is deprecated, although it works. Absolutely everything you need to is at https://developers.google.com/api-client-library/javascript/reference/referencedocs

pinoyyid
  • 21,499
  • 14
  • 64
  • 115
  • Thank you for your response. I'm not using gapi library, because of the problem I've described here: http://stackoverflow.com/questions/38392912/google-authentication-gapi-uncaught-typeerror-cannot-read-property-postmessag and also I've opened an issue https://github.com/google/google-api-javascript-client/issues/238 – Elias Sep 08 '16 at 18:02
  • In case it helps, I've wrapped gapi in an Angular 1 service here https://github.com/pinoyyid/ngDrive/blob/master/src/oauth_s.ts – pinoyyid Sep 09 '16 at 06:10
0

When the id_token expires, the client requests new tokens from the server, so that the user does not need to authorise again.

From IMPLEMENTING A SILENT TOKEN RENEW IN ANGULAR FOR THE OPENID CONNECT IMPLICIT FLOW

Michael Freidgeim
  • 26,542
  • 16
  • 152
  • 170