Refresh token is not saved for "web" Google API application
JakubVanek opened this issue · 3 comments
It seems that I have selected a client-side application, which indeed does not receive the refresh token:
https://developers.google.com/identity/protocols/oauth2#clientside
Nope, the problem may be that refresh token is only sent the first time the application asks for authorization: https://stackoverflow.com/a/8942732
[slightly off topic]
According to https://developers.google.com/identity/protocols/oauth2/native-app, the "Desktop app" application type could be used as well.
➕ it would not be necessary to create a new application for each user at all, one common application would be sufficient➖ it would limit callback URL to localhost only.
Current status of non-localhost uses with "web" application type:
- browser will not be opened (opn works by execing a browser on the server)
- but the URL can be grabbed from logs
- non-localhost redirect will be followed (if allowed by the application configuration on Google servers)
Status of non-localhost uses with "desktop" application type:
- browser will not be opened
- the URL can be grabbed from logs
- non-localhost redirect will not work
- but the URL may be modified by the user to reach the listening endpoint
It can be argued that non-localhost = non-desktop = web-app
The "limited input" app type may be also worth looking into, but its authorization flow is different from the previous two ones (they can be used almost interchangeably).