1

I have a web application where users can sign in with Google.

To the sign-in process, I add a scope to be able to access Google Calendar.

Now that the user is signed in, I would like to - in server-side - get their current Google access token in order to make a request and get a list of their events.

Is there a way to get the current OAuth token (no need for refresh token) in order for me to make this completely on the server-side?

Amit
  • 5,924
  • 7
  • 46
  • 94

2 Answers2

1

I'd say that you can check this article and put special attention to the recommendation for websites.

I understand you have configured already the consent screen, which is the first step of the basic steps on using OAuth 2.0. So I understand that you only have to perform the following steps:

  1. Obtain an access token from the Google Authorization Server
  2. Examine scopes of access granted by the user.
  3. Send the access token to an API

I think you can also give a look to this other doc for more GCP insights over your goal to authorize the request using user tokens

Edited: Regarding the Firebase Authentication, I understand this happens at the user's device, and you could use some code to retrieve the token and then send it to your back end servers as mentioned in here.

As a sample here there's the sample code for retrieving the token in Android:

FirebaseUser mUser = FirebaseAuth.getInstance().getCurrentUser();
mUser.getIdToken(true)
    .addOnCompleteListener(new OnCompleteListener<GetTokenResult>() {
        public void onComplete(@NonNull Task<GetTokenResult> task) {
            if (task.isSuccessful()) {
                String idToken = task.getResult().getToken();
                // Send token to your backend via HTTPS
                // ...
            } else {
                // Handle error -> task.getException();
            }
        }
    });
sergio franco
  • 346
  • 2
  • 10
  • Thanks, sergio. If this was a normal OAuth process, you'd be right. However, the entirety of the OAuth is handled by firebase authentication, and therefore I don't find the user's access token transparent to me. – Amit Jul 09 '20 at 16:16
  • I've edited my answer, I found some code to get the user's token – sergio franco Jul 10 '20 at 17:02
  • Thanks sergio, unfortunately, the `getIdToken` only returns the firebase oauth token, not the Google oauth token, `Result object that contains a Firebase Auth ID Token.` – Amit Jul 11 '20 at 10:57
  • 1
    I'd say that the Firebase token should be valid for the Google Drive executions, I've found this [https://medium.com/google-cloud/using-google-apis-with-firebase-auth-and-firebase-ui-on-the-web-46e6189cf571] (article) with the same approximation that you are trying to achieve, I think the important part relies on the scopes that you request for the token. – sergio franco Jul 15 '20 at 21:47
0

A little about OAuth 2.0

Whenever a user signs up to your app/website via Google or 3rd Party, an Authorization Code, this Authorization Code is exchanged for an AccessToken & RefreshToken.

The AccessToken sent via Google are valid generally for 60 minutes.

Offline Access (Server Side)

Let's break it down to two parts:

If your need to update within 60 minutes of user's last activity

You can use firebase along with gapi to achieve that. You'll be provided with the AccessToken that can be sent back to server to add to calendar.

More info on implementation

If you need to update after 60 minutes of user's last activity

Firebase & gapi's most method handle the AuthorizationCode flow internally. They even further refresh the AccessToken after 60 minutes. This is beneficial for most developers as they won't have a headache of managing all the tokens.

This method but, hides RefreshToken & AuthorizationCode from the developer. That is even if your server has the access token, it won't be able to refresh it and it would be deemed useless.

To achieve complete offline access, in the initial request to get AuthorizationCode you will need to send a HTTP GET parameter access_type to offline

GAPI provides you with grantOfflineAccess() method which returns the AuthorizationCode that can be later used on your server to fetch access token & refresh token.

Note: If you are storing AuthorizationCode in your database, make sure it is secure. The limitation in Firebase are set due to security reason. It is more secure to not talk with AuthorizationCode generally.

More links

frunkad
  • 2,433
  • 1
  • 23
  • 35
  • Thank you. I understand and implemented OAuth2 many times. I'm specifically asking about firebase authentication where firebase handles all of the authentication processes, and I just want to get the currently active access token for the Google sign-in – Amit Jul 15 '20 at 11:53
  • This link should help you out https://firebase.google.com/docs/auth/web/google-signin#expandable-3 – frunkad Jul 15 '20 at 13:09