https://www.ory.sh/ logo
Join Slack
Powered by
Greetings, Does anyone know what is needed to ret...
# talk-kratos
s
Greetings, Does anyone know what is needed to retrieve the refresh token as a part of Google social login? Setting scopes of "offline" and "offline_access" don't work. Thoughts on if that is even possible currently. Thanks
m
Hello @silly-state-92756 🙂 Check out this document: https://www.ory.sh/docs/kratos/social-signin/get-tokens
s
When attempting to do this for Google based oidc, the refresh token field is empty. I believe specifically for Google, that you need to set the "access_type" param to "offline" during the authorization flow. https://stackoverflow.com/questions/30637984/what-does-offline-access-in-oauth-mean
m
I see. Is that something to be configured on the Google side? I currently don’t have Google Social set up on my demo project 😕 .
s
Nope, this setting is something that is set by the OAuth client. I am currently experimenting with setting the URL parameter like so t(https://github.com/ory/kratos/blob/master/selfservice/strategy/oidc/provider_generic_oidc.go#L77):
Copy code
options = append(options, oauth2.SetAuthURLParam("access_type", "offline"))
Which should set the access_type though I can't confirm the final Auth URL, assuming it does work I am still unable to retrieve the refresh_token from the response (meaning the "initial_refresh_token" is still blank when getting identity details via the "include_credential" param)
I confirmed that adding the "access_type" as "offline" does result in getting the refresh token as expected. Now the question is how to allow the consumer to configure this setting. Any thoughts on the best way to handle this? Alternatively, you could always request the refresh_token, but that might go against Google's recommendations.
m
Thanks for clarifying, I have not used it before 🙂
how to allow the consumer to configure this setting.
How does the flow look for this from the user perspective? Is this something you would want to have them configure before signing up or in the settings?
s
Well the flow should for the user (read: end-user logging in with their Google creds) should be unchanged. The consumer of Ory (read: me 🙂 ) should have the ability to set this up in the configuration of Google OIDC, like exposing an "additional parameters" property or mapping in the Kratos configuration yaml file.
Another option could be to make the Google AuthURL editable from one of the previous configuration points. Note: The Ory Cloud Generic OIDC allows for specifying the Redirect URL but not the Auth or Token URLs which if it did allow would make this a whole lot easier as I could create a custom OIDC provider that specifically creates a Google based session with refresh_token in the event one is needed.
m
I see, thanks for the details.
specifying […] the Auth or Token URLs
That would be a neat solution, let me check with the team what options we have.
s
I'm glad I could assist, plus I'm sure there's a saying somewhere that "...two Vincents are better than one" 😄
c
hello, I’m having the same issue, I’ve tried switching to generic and setting AUTH_URL with the extra parameters but it gets ignored.. I’ve tried mocking the discovery endpoint to pass the AUTH_URL with the extra parameters, but this its security issues. Is there any update on making it possible to add extra parameters to the AUTH_URL ?
(I am using the ory-network)
alternatively, provider_generic_oidc.go can be updated such that if AUTH_URL is set, it overrites the auth_url found during discovery... this would actually make the behaviour match the current documentation
Open in Slack
PreviousNext
Powered by