CODEWITHSUNDEEP
oauth-2.0google-apigoogle-oauthgoogle-plus-onegoogle-api-js-client
goofballLogic
goofballLogic

Reputation: 40489

How can I refresh a google plus bearer token (javascript)?

I'm using the google HTML sign-in button in my single page (javascript) application to obtain an authorization object from users with Google logins. This is detailed here: https://developers.google.com/+/web/signin/add-button.

I successfully receive back a token such as shown below. Since this token expires in 1 hour, I need to refresh the token every 30 minutes or so, until the user choses to log out. I am attempting this by calling:

gapi.auth.authorize({client_id: "90... ...92.apps.googleusercontent.com", scope: "profile email", immediate: true}, function() { console.log( arguments ); } );

but with no luck. I receive the same token back until it expires, after which I get back the empty (not signed in) token. How can I preserve / refresh the bearer token without the user having to continually log in again?

{
    _aa: "1"
    access_token: "ya29.1.AA... ...BByHpg"
    authuser: "0"
    client_id: "90... ...92.apps.googleusercontent.com"
    code: "4/Nyj-4sVVcekiDnIgMFh14U7-QdRm.svPMQSODiXMbYKs_1NgQtmX9F90miwI"
    cookie_policy: "single_host_origin",
    expires_at: "1398341363",
    expires_in: "3600",
    g_user_cookie_policy: undefined,
    id_token: "eyJhbGciOiJ... ...0Es1LI"
    issued_at: "1398337763",
    num_sessions: "2",
    prompt: "none",
    response_type: "code token id_token gsession",
    scope: "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
    session_state: "b92d67080... ...73ae",
    state: "",
    status: {
       google_logged_in: true,
       method: "AUTO",
       signed_in: true
    },
    token_type: "Bearer"

}

Upvotes: 3

Views: 1800

Answers (2)

willlma
willlma

Reputation: 7533

As well as setting a timer, you should check that your token is still valid before making the API call. Now that the client library returns promises, and promises are chainable, you can do it really elegantly.

See my gist here.

Upvotes: 0

Waldo Jeffers
Waldo Jeffers

Reputation: 2279

Using the client side flow (ie Java Script) you can only receive short-lived (~1 hour) access_token. If you want to be able to refresh it, you need a refresh_token which can only be obtained using the server side flow.

You can find more information here.

Basically,it works like this :

  1. The user connects to your Website and clicks on the "Sign-in button"
  2. You receive an access_token and a code in JavaScript
  3. You send this code to a PHP Script on your web server
  4. The script makes a request to Google Servers and exchanges your code for an access_token(which should be identical to the one you just received in JavaScript) and a refresh_token
  5. You need to store this refresh_token somewhere (in a data base for example) because it will only be issued once (when the users grants permission)
  6. When one of your access_token is about to expire, you can use your refresh_token to get another valid access_token

Upvotes: 2

Related Questions