Google-api-javascript-client: Improve documentation on Implicit JavaScript OAuth flow and client-side token refresh capability

Created on 11 Jun 2020  路  2Comments  路  Source: google/google-api-javascript-client

Hi Team. The documentation does not advise a key feature/capability required for authN/authZ. If you improve and clarify your docs around this process, you could close multiple open issues and prevent a lot of developer heartache.

Problem/Issue
ZERO documentation on how to refresh a users OIDC id_token or OAuth access_token before the 1 hour expiry. This method, that can be used to accomplish authN/authZ refresh, doesn't mention anything about the fact that it automatically fires near token expiry, or can be used to refresh a users credentials.

Documentation to update

  1. GoogleAuth.currentUser.listen => Specify that it fires nearing token expiry, and provides a GoogleUser that can be used to refresh the token via GoogleUser.reloadAuthResponse (+ add a note to reloadAuthResponse as well)
  2. update the id_token information and link it to the fact that the id_token can be authN server-side following this
  3. Add a new "token refresh" section, below the existing "token revoke" section in your Javascript Implicit flow. GCP's current recommended method for all SPA's!
  4. Add a new "token refresh" and "token revoke" section to the OIDC page
  5. LINK the documentation here to the actual identity/sign-in api documentation => https://developers.google.com/identity/sign-in/

Related OPEN issues
https://github.com/google/google-api-javascript-client/issues/643
https://github.com/google/google-api-javascript-client/issues/599
https://github.com/google/google-api-javascript-client/issues/626
https://github.com/google/google-api-javascript-client/issues/469
https://github.com/google/google-api-javascript-client/issues/382

Most helpful comment

This is very much needed - the documentation only shows the login once example and is missing the important point: How to keep the user conveniently and securely logged in? What is the "secure storage" mentioned here in the OAuth docs - 5. Refresh the access token, if necessary. ?

All 2 comments

This is very much needed - the documentation only shows the login once example and is missing the important point: How to keep the user conveniently and securely logged in? What is the "secure storage" mentioned here in the OAuth docs - 5. Refresh the access token, if necessary. ?

+1

Was this page helpful?
0 / 5 - 0 ratings