Closed jwatte closed 4 months ago
This is expected behavior.
case 1 works because you provided a valid token, the auth lib just uses it without refreshing it.
In the other 3 cases token refresh is used. Your organization admin sets up reauth policy, however,
Therefore, the solution would be re-login with the device code flow after the token expires. Another less secure option would be letting the admin exempt trusted apps, which neutralizes reauth for everything except 1P apps.
Closing this as stale. Please re-open should you have further questions.
Thanks!
Environment details
google-auth
version: Version: 2.29.0Steps to reproduce
A full script (minus the cloud-project-side setup) is available at: https://gist.github.com/jwatte/e46c4bfd0e4cfd5238dbff3d68f65072
In brief:
access_token
is optional (could beNone
) if arefresh_token
is provided. However, this doesn't work.refresh()
function, whether called automatically or manually, seems to never succeed for tokens acquired through theDeviceClient
flow.This means that a device can't save the refresh token locally, and then obtain a new access token when needed. Given how cumbersome the device sign-in/authorization flow is, having to do this frequently is very high friction, and makes using oauth2 instead of service account keys impossible for kiosk-type implementations.
To make sure all the information is also in this ticket, here is the reproduction script:
And here is the logged output from running the script (and waiting an hour, because of the last case):