The given token expires after 60 minutes while user in on website. How can get a new one?

[madnik7]

This project is so handy, but unfortunately, we can't use it. The given token expires after 60 minutes while users in on the website. How can I get a new one? I know there are no refer tokens with the Google signing button, but is there any way to trigger the component so it fetches a new token?

[devbaji]

@madnik7 I believe the token is just for authenticating the user, that means to check if the user is a verified google user and to get users email, the authentication flow is usually done in the application side (like saving the user info/email in server and creating a user session/token in server), so there is no need for the token again until the user is logged out from the application or the application session/token got expired

[madnik7]

Thank you for your reply. As you mentioned, one approach is to obtain an ID token for authentication and pass it to the authorization server to create an access token for accessing resources. While this approach may work for some enterprises that have their own authorization servers, in most cases, the backend should handle token management, such as creating tokens, managing their expiration, and returning new tokens to the UI. This can be a lot of repetitive work for the UI too, which also needs to manage access tokens. Moreover, users who log in with Google cannot revoke access to that site since the backend, not Google, manages the access token.

I can see some authentication services like aws cognito/azure B2C can handle this and I can see the refresh token stores on the client web local storage without requiring any code on our backend. Are you sure there is no way to do the same with Google?

[devbaji]

Hi @madnik7,

Sign-in or authentication is login and returns and id token and an access token, and identifies the user behind the machine.

Oauth2 is authorization and returns an access token and refresh token granting your application access to a users data.

Signin will not return a refresh token.

To obtain an access token for use with Google APIs, or to load some user data, you need to call the Google Identity Services authorization API instead. It's a separated JavaScript API, but packaged together with the authentication API.

[dkonieczek]

Also wondering if it's possible to extend beyond 60 minutes. Looks like google has an expires_in parameter that could be used per this thread and also shown in an example here?

[madnik7]

@dkonieczek If I understood correctly, this plugin just wraps the Google SignIn button and retrieves the IdToken. So you can use it as an access token (which is not recommended) for 60 minutes. To utilize the IdToken as an access token, you'll need to perform additional steps on both the front end and back end. The thread you shared is attempting to obtain the access token from the Google OAuth2 API, which is a separate service and not directly related to Google SignIn.

[yeus]

Hi, similar to this here: https://stackoverflow.com/questions/72418822/google-identity-services-how-to-refresh-access-token-for-google-api-after-one

it should be possible to implement the same flow. but still requires some form of user interaction. It might be possible to automatically do the login ...

[yeus]

investigating more on this page: https://developers.google.com/identity/oauth2/web/guides/migration-to-gis?authuser=1#javascript_libraries

for the implicit flow (which this library here uses) google explicitly states:

The user must be present to call Google APIs, your app uses only access tokens, and does not require refresh tokens.

On the same page google states this:

Token expiration By design, access tokens have a short lifetime. If the access token expires prior to the end of the user's session, obtain a new token by calling requestAccessToken() from a user-driven event such as a button press.

So this is similar to the stackoverflow links from above. It might be possible to do this in a subtil way without the user noticing just by pressing buttons on the page. Maybe even without re-triggering the login window

Through google cloud ID services it might be possible to extend the token validity up to 12 hours..