I'm trying implement a photo uploading to Google Drive feature (using the Google Drive API and GIS) into a web app that I'm working on, but can't seem to figure out how to keep a user authenticated for longer than the designated expiry time of the access token (which is 1 hour) without prompting the user or opening a popup.
The sample code provided at .html forces the user to click a "refresh" button to get a new token, but this means I would have to force users to sign in every hour, which isn't ideal (since users are likely going to be using the app for periods longer than an hour at a time).
According to , this appears to be intentional. However, after looking around quite a bit, I found that one could supposedly use a refresh token to generate a new access token that expires after another hour. Assuming you generate a new token every 45 minutes or so (which another Google article actually suggested, but I can't seem to find it now), then you should never have to worry about this re-authentication.
However, I can't figure out how to get a refresh token.
Not receiving Google OAuth refresh token suggests sending access_type=offline as a query parameter, but I'm not using any redirects, and the aforementioned documentation for initTokenClient and requestAccessToken don't make any mention of an access_type parameter.
The closest I've gotten is calling the requestAccessToken method periodically, but this still brings up a popup for the user to sign in again, which is what I'm trying to avoid. Even using requestAccessToken({ prompt: "" }) still brings up this popup window, but it at least logs in without any user input. Is there any way to disable this popup window entirely?
Worst case scenario, I force the user to re-authenticate every hour, but this seems like it would make for a less-than-ideal UX. Any help is appreciated.
I'm trying implement a photo uploading to Google Drive feature (using the Google Drive API and GIS) into a web app that I'm working on, but can't seem to figure out how to keep a user authenticated for longer than the designated expiry time of the access token (which is 1 hour) without prompting the user or opening a popup.
The sample code provided at https://github./googleworkspace/browser-samples/blob/master/drive/quickstart/index.html forces the user to click a "refresh" button to get a new token, but this means I would have to force users to sign in every hour, which isn't ideal (since users are likely going to be using the app for periods longer than an hour at a time).
According to https://developers.google./identity/oauth2/web/guides/use-token-model#token_expiration, this appears to be intentional. However, after looking around quite a bit, I found that one could supposedly use a refresh token to generate a new access token that expires after another hour. Assuming you generate a new token every 45 minutes or so (which another Google article actually suggested, but I can't seem to find it now), then you should never have to worry about this re-authentication.
However, I can't figure out how to get a refresh token.
Not receiving Google OAuth refresh token suggests sending access_type=offline as a query parameter, but I'm not using any redirects, and the aforementioned documentation for initTokenClient and requestAccessToken don't make any mention of an access_type parameter.
The closest I've gotten is calling the requestAccessToken method periodically, but this still brings up a popup for the user to sign in again, which is what I'm trying to avoid. Even using requestAccessToken({ prompt: "" }) still brings up this popup window, but it at least logs in without any user input. Is there any way to disable this popup window entirely?
Worst case scenario, I force the user to re-authenticate every hour, but this seems like it would make for a less-than-ideal UX. Any help is appreciated.
Share Improve this question asked May 1, 2022 at 21:56 simplexshotzsimplexshotz 3092 silver badges15 bronze badges 4- 1 Any luck with this? I have the same question – Justin Commented May 18, 2022 at 4:00
-
I've e to the conclusion that the popup that appears when the prompt is
none, is a flaw in the UX. Perhaps they might fix it in the future, but for now, there is no where to report that to the google engineers. – Morfinismo Commented May 20, 2022 at 19:00 - This seems basically... insane. To prompt a user every page load? Every time a token expires? That's not viable. There has to be some mistake. – Blunt Jackson Commented Jun 20, 2022 at 17:29
- 1 Your popup does NOT need to have the user sign in again, but it will flash. The key is to hint the popup with the signed-in user's email address. Details are in the reference. I also have a tutorial on this here: overclocked.medium./… – Blunt Jackson Commented Jun 23, 2022 at 19:52
2 Answers
Reset to default 9I have stepped through GIS library code and can confirm that prompt='' and prompt='none' are not implemented the way requestAccessToken documentation implies. GIS always opens a pop-up window. The prompt parameter only changes what happens in the pop-up. There is also no token storage or caching features in GIS, only in pop-up.
The current prompt parameter behavior looks by design based on OAuth 2.0 flow parison table. The access token should be refreshed only when user invokes an action that requires it.
This leaves us with pretty awful UX experience where pop-up has to briefly open and close every hour or so. Alternative is to use the authorization code flow. But it requires to implement a mechanism to send access token back to the client side from backend.
The button flow and consent popup behavior is intentional for browsers to obtain an access token, when configuring setting prompt to an empty string will suppress the user popup on every request: prompt=''.
Adopting the code model with auth code and exchanging the refresh token for access token is what you are looking for if you'd like to perform actions on behalf of the user without their being present or having to trigger a token request with a gesture such as a button press.