Google OAuth: refresh_token discarded after first refresh
re322 opened this issue · 1 comments
re322 commented
Refreshing token for second time fails when using \yii\authclient\clients\Google
.
What steps will reproduce the problem?
- Authenticate with google asking for offline (persistent) access. This will require following parameters in URL:
$client->buildAuthUrl(['access_type' => 'offline', 'prompt' => 'consent']);
- Wait for token to expire (alternatively edit the state storage directly, changing createTimestamp from 16… to 10…)
- Use the client (authclient will refresh token automatically)
- Repeat step 2
- Use the client again (it will try to refresh the token and fail)
What's expected?
A token being refreshed successfully every time.
What do you get instead?
After step 3: refresh_token isn't kept in state storage
After step 5: token refreshing fails.
Additional info
Replacing
$token = $this->createToken(['params' => $response]);
with
$token = $this->createToken(['params' => array_merge($token->getParams(), $response)]);
in \yii\authclient\OAuth2::refreshAccessToken
(by overriding it in subclass or directly) seem to solve the issue.
I am not sure if this is Google not following OAuth2 spec, but other clients seem to provide new refresh_token while google does not provides new refresh_token and refreshing works with same refresh_token.
I am using a persistent StateStorageInterface implementation to store user's data in database.
Q | A |
---|---|
Yii version | dev-master 2a45591 |
Yii Auth Client version | 2.2.10 |
Yii HTTP Client version | dev-master 18413a6 |
PHP version | 7.4.6 |
Operating system | Windows 7 SP1 |
samdark commented
Interesting. Do you have time for a pull request?