OAuth2 how to deal with expired access token

actions-on-google / actions-on-google-nodejs

Node.js client library for Actions on Google

https://actions-on-google.github.io/actions-on-google-nodejs

Apache License 2.0

900 stars 197 forks source link

OAuth2 how to deal with expired access token #399

Closed MichiOnGithub2 closed 3 years ago

MichiOnGithub2 commented 4 years ago

Hi everyone,

I set up authorization code flow OAuth account linking and it works just fine, but the access token only lasts for roughly 10 min after which it expires. As I don't get a refresh token I don't know how to obtain a new token. Throwing an UnauthorizedError() does not work apparently.

Also how would I go back to my previous intent after requesting a SignIn()?

Kind regards, Michi

Fleker commented 4 years ago

In the authorization code flow, you should have a refresh token.

MichiOnGithub2 commented 4 years ago

I thought so as well, maybe my auth flow is wrong? Currently the flow is as follows: A user triggers an intent which requieres auth, if no access token is present the fulfillment asks for a SignIn(), user is forwarded to the login page and on redirect the signin event intent is triggered.

I'd like to get a refresh token now, but in the SignIn intent I only get the user object and a signin status

"user": {
        "accessToken": "eyJraWQiOiJTa0NZcDBrS00iLCJhb...,
        "locale": "de-DE",
        "lastSeen": "2020-06-23T09:34:46Z",
        "userVerificationStatus": "VERIFIED"
      }
"signin": {
        "status": "OK"
      }

Is the refresh token hidden away on the AoG backend?

Fleker commented 4 years ago

You will not get the refresh token on the AoG side, but you should have it as part of the connection to your authentication.

MichiOnGithub2 commented 4 years ago

Thank you for your reponse Fleker! Could you please elaborate on this? Do I have to invoke the connection to my OpenId Server manually? Right now all my fulfillment does is to respond with conv.ask(new SignIn('...')); which redirects to my /authorize endpoint which then opens a login form and on success returns to AoG.

Maybe this is a newbie mistake, but I don't see how I can get a refresh token without doing the whole OAuth process on my own. Could you please point me in the right direction?

Kind Regards, Michi

Fleker commented 4 years ago

but I don't see how I can get a refresh token without doing the whole OAuth process on my own

Your OAuth server should be giving a refresh token to Google to allow Google to be authorized. The OAuth guide may provide more assistance in explaining the process.

MichiOnGithub2 commented 3 years ago

Alright then I'll check if there's an issue with my OAuth server configuration, thank you Fleker!