No refresh_token in OAuth 2.0 response

1
votes

I am developing a Google Chrome extension and am using Boris Smus Oauth 2.0 library.

The authentication exchange completes, however, the problem I am having is that even though I specify access_type=offline during authorization, I never receive a refresh_token during the exchange, just access_token, expires_in and token_type.

My hunch is that this is because in my API access settings, OAuth2 is set up as a web application and web applications are not granted offline access. Does anyone know if this is correct or have been able to get it to work?

Thanks in advance.

3
google-chrome-extensionoauth-2.0
It is very strange that a refresh_token is not given for offline access when I thought that was the entire point of a refresh_token. If you have any updates on this, please do share! - Raphael Rafatpanah

3 Answers

2
votes

For Google's OAuth Client you need to have prompt=consent in parameters to get the refresh_token every time,

As Google, do not provide refresh_token for subsequent logins. It only provides refresh_token when User Allows the Access for the first time.

For more info checkout this https://stackoverflow.com/a/10857806/5752311

1
votes

I managed to resolve the problem by adding the optional approval_prompt=force parameter in the authorization url. By default, approval_prompt is set to 'auto'. When it is set to 'force', the refresh token appears during the token exchange.

0
votes

According to OAuth 2.0 specification, refresh_token is optional and is not supported in Implicit Grant and Client Credentials Grant.

Since you mentioned access_type=offline, I guess you are using Facebook API. The Boris Smus document chapter VARYING OAUTH IMPLEMENTATIONS also said that Facebook doesn't return refresh token.

Please also read this question.