7

After having connected a user from Google OAuth, when this one wishes to reconnect during a next session requiring the selection of his google account, the permission is asked again.

According to the documentation, the behavior of the parameter prompt that is responsible for authorization requests is as follows:

If no value is specified and the user has not previously authorized access, then the user is shown a consent screen.

The user should therefore not have to reorder his consent (with verification, the application is present in my authorizations).

The only answer envisaged was the one on this question : login with google always asks user consent

Because I also work locally without secure HTTP, but he assumes that a cookie policy is present which is not the case.

Code generating URL 

/**
 * Create a new OAuth2Client with the credentials previously loads
 */
private getOAuth2() : OAuth2Client {
    return new OAuth2(
        this.credentials.client_secret,
        this.credentials.client_id,
        this.credentials.redirect_uris[0]
    );
}

/**
 * Create connection URL for the given scopes
 * @param scopes
 */
public url(scopes: Array<string>) : string {
    return this.client.generateAuthUrl({
            access_type: "offline",
            scope: scopes
    });
}



// The scope used to generate URL is 'https://www.googleapis.com/auth/youtube.readonly'

// this.client refer to a client which is load by getOAuth2
// and use only for the generation of URL's.

When a user logs in a second time, to obtain a refresh token that has been lost, he or she is not required to give consent again :

enter image description here

And that is the problem which occur.

Neok
  • 221
  • 2
  • 17
  • Did you checked this answer https://stackoverflow.com/a/41703454/6044698 – jano Sep 21 '18 at 13:15
  • The problem is not the same, this question doesn't answer for a second google authentication but for authentication with access token. – Neok Sep 22 '18 at 06:12
  • Happened to me when I was using `access_type=offline` but not actually using the refresh-token for subsequent authorizations (I was simply calling `/o/oauth2/v2/auth` when the token is missing/expired). Seems like Google's OAuth behavior had changed recently, causing the full auth flow to retrigger if `access_type=offline` is passed - whereas in the past it just returned a new access token. Using the refresh token flow (`/oauth2/v4/token`) from second authorization onwards, fixed the issue for me. – Janaka Bandara Jul 17 '20 at 01:16

1 Answers1

2

TBH, I didn't understand your problem clearly. But, I'm sure that you must be dealing with two different tokens. As it is OAuth, at first you'll get access token from Google upon successful user authentication.

You're supposed to use that access token to get user information from Google. But by default access token has some expiration time, beyond which the user has to reauthorize your app. I suspect that's what happens in your case.

You can renew your access token by making use of refresh token which you'll get when you get consent from the user.

You can get detailed information in this blog post written by me, https://www.syncwithtech.org/authorizing-google-apis/

I hope this may help you in some way.

vicke4
  • 2,973
  • 1
  • 20
  • 20
  • My problem is not that I need to get an access token again, but rather that I need to reassign the rights to the application rather than just perform authentication again. I shouldn't have to give my trust again. – Neok Sep 24 '18 at 19:23
  • Can you be more clear? What do you mean by 'reassigning rights to application'? also tell me what do you actually want do after getting user consent? – vicke4 Sep 24 '18 at 19:40
  • All I do after user consent is ok, I am talking about a second authorized access without a previous refresh token, from an application which is already authorized on the account. (A like case from the documentation quote) – Neok Sep 24 '18 at 20:06
  • The OAuth end point will have no idea that the user has already been authorized unless until you pass an access token. Without which it'll ask for user consent again which is expected IMO. Maybe you've to recheck the flow, I think you're not supposed to call `getOAuth2()` method again after you get the access and refresh token of the user. – vicke4 Sep 24 '18 at 20:27
  • He does from the google account which try to authenticate. see https://myaccount.google.com/permissions. I'm not trying to bypass authentication, but the second connection should not ask for rights. – Neok Sep 24 '18 at 20:56
  • This's what I'm trying to tell from the very beginning, for it to not ask for the rights again, you got to pass access token. Please go through the link in my answer. – vicke4 Sep 24 '18 at 20:58
  • "The OAuth end point will have no idea ... unless you pass an access token." doesn't make sense - the OAuth endpoint doesn't accept an `access_token` parameter, and it works fine without one. The problem is probably that *reinitiating auth* with `access_type=offline` always resends the user to the account selection/consent screens (for offline apps the subsequent auth requests need to instead go through the *token refresh* flow, as also described in your blog post linked in the answer). – Janaka Bandara Jul 17 '20 at 01:28