Make Google API calls after user signs in via identity provider

[edongashi]

We are getting basic profile attributes (name, email, picture...) for google users via attribute mapping.

We'd like to fetch additional data such as calendars from google API. We have specified the custom scopes needed in the google identity provider config, and the consent screen is appearing as expected. How do we utilize those scopes to get the data we need?

Is this possible without introducing a second offline token request as in https://developers.google.com/identity/sign-in/web/server-side-flow?

[edongashi]

I just noticed there is are attribute mappings for access_token and refresh_token. I will try using these and post progress here.

[edongashi]

The tokens don't get mapped when using an implicit flow. I haven't tried authorization code yet. Is there anything I need to know about this?

[yuntuowang]

@EdonGashi Yes, on Cognito User Pool console, under "Attribute Mapping" tab, you can map a Google attribute to a User Pool attribute, in your case, access_token and refresh_token. To achieve this, you need to check one Google attribute and select one User Pool attribute from the drop down list.

You said The tokens don't get mapped when using an implicit flow. Can I ask which user pool attribute did you map them to? How did you find out they are not mapped? Thanks.

[edongashi]

Hi @yuntuowang, we spent quite a time on this, but sadly without any success. We quit pursuing that feature because it had stalled us for weeks.

We tried things like:

• fetching the custom mapped attributes using client side API
• browsing the users in the pool and checking the mapped attributes under various login conditions and auth flows
• for attributes we tried different names, different max sizes, making it required/non-required

In all of these cases we were not able to retrieve the refresh token, which is absolutely required for offline access gapi calls. The refresh_token was empty, while the auth_token had some weird short value, which when tested in a decoder such as https://jwt.io/ returned gibberish. Plus, that auth_token was static (we initially thought cognito handles the refreshing), it was standing there unmodified for days (auth_token expires in an hour or something).

We also contacted support and after some investigation, this was their stance:

It seems that Google returns the refresh token only if the authentication request was made using "access_type=offline" which Cognito does not do.

Closing this issue because it is no longer relevant. Thanks.