search

vmware-archive / gangway

An application that can be used to easily enable authentication flows via OIDC for a kubernetes cluster.
Apache License 2.0
410 stars 111 forks source link

Google does not return refresh token without `access_type=offline` in the auth url. #170

Open rio opened 4 years ago

rio commented 4 years ago

This can be resolved luckily without code changes by adding it tot the authorization url set in the configuration.

ghost commented 4 years ago

This is did not fix it for me, I've tried using offline instead of offline_access as well. image

https://github.com/heptiolabs/gangway/blob/master/docs/google.md#configuring-gangway mentions to leave offline out, but as @Rio mentions, there is no refresh token.

rio commented 4 years ago

@VihanAgarwal97, make sure you add access_type=offline to your auth url like so: https://accounts.google.com/o/oauth2/v2/auth?access_type=offline

ghost commented 4 years ago

Still missing a refresh token.

apiVersion: v1
data:
  gangway.yaml: >
    apiServerURL: <redacted>

    audience: https://${DNS_NAME}/userinfo

    authorizeURL:
    https://accounts.google.com/o/oauth2/v2/auth?access_type=offline

    clientID: ${GANGWAY_CLIENT_ID}

    clientSecret: ${GANGWAY_CLIENT_SECRET}

    clusterName: <redacted>

    port: 8080

    redirectURL: <redacted>

    scopes:

    - openid

    - profile

    - email

    tokenURL: https://www.googleapis.com/oauth2/v4/token

    usernameClaim: email

I'm using the helm chart to deploy - 

      # Values file as block file
      values: |
        gangway:
          scopes: ["openid", "profile", "email"]
          apiServerURL: "<redacted>"
          authorizeURL: "https://accounts.google.com/o/oauth2/v2/auth?access_type=offline"
          tokenURL: "https://www.googleapis.com/oauth2/v4/token"
          clusterName: <redacted>
          # Where to redirect back to. This should be a URL
          redirectURL: "<redacted>/callback"
          usernameClaim: "email"
        env: 
        - name: GANGWAY_SESSION_SECURITY_KEY
          valueFrom:
            secretKeyRef:
              name: gangway-test-key
              key: sessionkey 
        - name: GANGWAY_AUDIENCE
          valueFrom:
            secretKeyRef:
              name: gangway-secret 
              key: client_id # For Google OAuth, clientID is the same as audience
        - name: GANGWAY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: gangway-secret 
              key: client_id
        - name: GANGWAY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: gangway-secret
              key: client_secret
ghost commented 4 years ago

@Rio the docs specify a different url, I'm not sure what to use. https://github.com/heptiolabs/gangway/blob/master/docs/google.md#configuring-gangway This is currently blocking us from using this in prod.

rio commented 4 years ago

google only issues refresh tokens once per login. To get a refresh token again remove your third party integration from accounts.google.com from your account then login again.