Google-api-php-client: Refresh token is not returned by the library

Created on 29 Nov 2016 · 9Comments · Source: googleapis/google-api-php-client

Steps to replicate
1) Create a google api php client object as
```
$client = new Google_Client();
$client->setApplicationName("Google OAuth2");
$client->setClientId('CLIENT_ID');
$client->setClientSecret('CLIENT_SECRET');
$client->setRedirectUri('CALLBACK_URL');
$client->setDeveloperKey('API KEY');
$client->setApprovalPrompt('force');
$client->setAccessType('offline');
$client->addScope(SCOPE);
$auth_url = $client->createAuthUrl();

Now hit the auth_url, I am using drupal cms so I use drupal_goto for this
2)  I receive the callback and under that I use the same object and call the authenticate function with above object as

if (isset($_GET['code'])) {
$client->authenticate($_GET['code']);
$access_token = json_encode($client->getAccessToken());
// Save the access token in db
}

The access token now has refresh_token

3) After sometime when the refresh token is expired.  I checked this before making actual api call with code

if ($client->isAccessTokenExpired()) {
$client->refreshToken($client->getRefreshToken());
$token = $client->getAccessToken(); // This token has no refresh token.
// Save it again in the db.
}
```
Note that I am using the client object same as I created in step 1 and now the token don't have the refresh token and hence when it expires next time my system(same code) can't refresh it.

Please help me if I am missing something so that I can keep the token upto date. I am maintainer of https://www.drupal.org/project/gauth and many users of this module are reporting that the token keeps expiring, I can't keep the token even with offline mode because of the above problem.

Thanks,
Sadashiv.

Source

sadashivdalvi

Most helpful comment

Besides
$client->setAccessType('offline');
Need to include force prompt to Google return the refresh token:
$client->setApprovalPrompt('force');
Works for me.

heukirne on 10 Jul 2017

👍4

All 9 comments

Sorry for creating this dupe issue. It is dupe with https://github.com/google/google-api-php-client/issues/1064 but still please update as I can see others are also facing the same issue.

Thanks,
Sadashiv

sadashivdalvi on 29 Nov 2016

I am having similar problems and it is wrecking my business... I just can't get the token system working without it overwriting with nulls. Please help!

josh1600 on 5 Jan 2017

@josh1600 PTAL at #1121, this should fix the issue.

bshaffer on 5 Jan 2017

Wait?! What?

Isn't it the access_token that expires and you use a refresh_token to get a new one? The refresh_token doesn't expire unless revoked?

Sorry just a little confused here.

jonnywilliamson on 5 Jan 2017

My understanding is that you need to pass a username and password through a grant_type parameter in your URL request. I havent got it to work myself yet but reading the documentation, it needs to make a callback when the token is expired and be able to log in automatically. I believe this is so that if you were to log in on a friends computer you would not want them to access a refresh token so unless you specifically code your username and password into the request it wont grant a refresh token. you can check this out.
this is the oauth 2 documentation.

https://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-6

chawker21 on 14 Feb 2017

Besides
$client->setAccessType('offline');
Need to include force prompt to Google return the refresh token:
$client->setApprovalPrompt('force');
Works for me.

heukirne on 10 Jul 2017

👍4

It looks like a member of our great community answered your questions. Thanks Community! Please feel free to reopen if you have any more questions.

mattwhisenhunt on 22 Dec 2017

Besides
$client->setAccessType('offline');
Need to include force prompt to Google return the refresh token:
$client->setApprovalPrompt('force');
Works for me.

Once done this it will return the refresh_code. That's fine. but when we set setAprrovalPrompt to 'force' every time it shows the consent screen to the user. is there any workaround for this?

yasithao3 on 18 Sep 2018

@yasithao3 thats what approval prompt force does. It forces the user to consent to your access again. If you want a refresh token you must have the users consent for that.

You should be saving the refresh token the first time you received one. They do not expire.