Why does refresh_token disappear after relogin without consent?

dyox · November 15, 2023, 2:28pm

Hi,

I am using

const url = await buildAuthorizeUrl({
  connection: 'google-oauth2',
  connection_scope:
    'https://www.googleapis.com/auth/calendar.readonly',
  access_type: 'offline',
  prompt: 'consent',
});

in order to login an user and have an access_token / refresh_token to be able to use Google Calendar API later on. It works perfectly.

Since the user already gave the consent at the first login, I would like to avoid showing consent all the time when the user needs to login again.

The refresh_token disappear from “google-oauth2” provide identity when I do so.
Is it an expected behavior? How can I achieve a non consent following logins when the consent was already given by the user?

Thanks.

dan.woda · November 17, 2023, 4:06pm

Hi @dyox,

Welcome to the Auth0 Community!

I understand you are having issues with retrieving Google refresh tokens.

Before we go any further, is there a reason you are using the legacy SDK auth0.js? You may be better off using the newer auth0-spa-js sdk. From the code sample you provided, you should be able to have the same behavior with a more secure flow.

dyox · November 20, 2023, 12:52am

Hi @dan.woda ,

I followed this tutorial Auth0 Ionic & Capacitor (React) SDK Quickstarts: Add login to your Ionic React with Capacitor app and it prompted me to install @auth0/auth0-react.
I think I was searching for a way to pass connection_scope, access_type: 'offline' and prompt: 'consent' in order to get the refresh_token from Google, I found buildAuthorizeUrl somewhere in the documentation or forum (?).

I am open to any kind of improvement.

dan.woda · November 20, 2023, 3:08pm

It looks like this behavior is intended by Google:

github.com/googleapis/google-api-php-client

oAuth get refresh token from second time with out using prompt =consent

opened 08:21AM - 01 Aug 19 UTC

closed 07:13PM - 16 Aug 19 UTC

BandaSatish07

type: question

Hi Team, How can we get refresh a token with out using consent screen. My …case here. We have prompt=consent initially and we got refresh token every time and consent screen displays every time. Now we want to change prompt = select_account so that consent screen wont appears again and again. But if change we are missing *refresh token* which we need to process further. Earlier we didn't saved refresh token for users, now if we change prompt=select_account we are not getting *refresh token* once user logged in. I've tried prompt="consent"/ "select_account"/ "none" Please suggest us way to achieve this to remove consent screen again and again for users and also to get refresh token with out affecting the already logged in users. Earliest reply more help full for us. Thanks.

So you will need to fetch the refresh token from Auth0 and store it after the first successful login.

dyox · November 21, 2023, 1:05am

@dan.woda Thanks for your answer.

I was aware of this behavior but since the refresh_token was already stored in Auth0 (at the first login and consent), I thought there was a way to keep it in Auth0. I didn’t want to store it in my Database but it seems like that’s the only solution.

dan.woda · November 21, 2023, 1:35pm

I tested it and can confirm this is the behavior I am seeing.

If you’d like, you can leave us some feedback here: Feedback.

system · December 5, 2023, 1:36pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.