Google Oauth2: Refreshing id_token on the client side

Question

I'm developing an angularjs web app.

To access server side api, I need to add an id_token header and I receive an id_token, by using https://accounts.google.com/o/oauth2/auth endpoint.

The crux of the matter is this - the id_token has an expiration date. Before accessing server API, I need to make sure the id_token is not expired yet, but if it is, the obvious choice would be to refresh it.

Is there any way I can refresh the id_token?

I know I could change access_type to offline, and receive a refresh_token, but it does seem pretty weird to ask for an offline access, when basically in my case user interacts with the server only at the moment when he actually using the web app online.

Answer 1

When the id_token expires, the client requests new tokens from the server, so that the user does not need to authorise again.

From IMPLEMENTING A SILENT TOKEN RENEW IN ANGULAR FOR THE OPENID CONNECT IMPLICIT FLOW

Answer 2

Forget all about refresh tokens and offline access. This method is only applicable for server and desktop apps. To have a refresh token present in the browser would be a massive security hole.

If you read the docs for the Google JS OAuth library, you'll see that it's easy to get a new access token once the current one expires. See gapi.auth.authorize() and note the comment for immediate=true. NB this method is deprecated, although it works. Absolutely everything you need to is at https://developers.google.com/api-client-library/javascript/reference/referencedocs