Returning back refresh token for google Oauth 2 using php client

Question

I'm using the JS library https://apis.google.com/js/platform.js to log in my user to pass a token to my backend:

            gapi.auth2.getAuthInstance().signIn().then(() => {
                var user = gapi.auth2.getAuthInstance().currentUser.get();
                var authResp = user.getAuthResponse();
                var bodyFormData = new FormData();
                bodyFormData.append('google_token', authResp.access_token);

When I receive the access token on my server I try use the php client library to generate the rest of the client:

        $google = new google();
        $google->setAuthConfig('client_secrets.json');
        $google->setAccessType('offline');
        $google->createAuthUrl();
        $google->getRefreshToken();
        $google->setAccessToken($thePOSTedAccessToken);
        $service = new Google_Service_MyBusiness($google);

The issue is no matter what I do I cannot get my refresh token from client.auth after I create the $client->createAuthUrl(); . So this either means I'm not doing the client properly in php or something else is wrong. I'm asking this question because I've followed all documentation and looked extensively why I'm not receiving my refresh.

Answer 1

You can't mix things like this. If the authorization code was created using JavaScript you will not be able to get a refresh token as JavaScript does not support refresh tokens.

If you want a refresh token then you will need to authorize the user using a server-side language and not a client-side language.

When you you run the code the first time, the user will be displayed with a consent screen. If they consent to your access then you get a code returned. This is an authorization code.

In the example below you can see how the authorization code is exchanged for an access token and refresh token.

Only after $client->authenticate($_GET['code']); is called will $client->getAccessToken(); and $client->getRefreshToken(); work.

Also once the code has been run once, if you try to authorize the user again you will not get a new refresh token, Google assumes that you saved the refresh token they already sent you. If you didn't save it, you would then need to revoke the user's access either using the revoke command in the library or by going to the user's Google account and revoking the application that way.

Sorry, all I have on hand is a web version; not sure if you're running this command-line or web-based.

require_once __DIR__ . '/vendor/autoload.php';
require_once __DIR__ . '/Oauth2Authentication.php';

// Start a session to persist credentials.
session_start();

// Handle authorization flow from the server.
if (! isset($_GET['code'])) {
    $client = buildClient();
    $auth_url = $client->createAuthUrl();
    header('Location: ' . filter_var($auth_url, FILTER_SANITIZE_URL));
} else {
    $client = buildClient();
    $client->authenticate($_GET['code']); // Exchange the authencation code for a refresh token and access token.
    // Add access token and refresh token to session.
    $_SESSION['access_token'] = $client->getAccessToken();
    $_SESSION['refresh_token'] = $client->getRefreshToken();    
    //Redirect back to main script
    $redirect_uri = str_replace("oauth2callback.php",$_SESSION['mainScript'],$client->getRedirectUri());    
    header('Location: ' . filter_var($redirect_uri, FILTER_SANITIZE_URL));
}

?>