Response type "code" sends request for token instead of authorization code
See original GitHub issueWith the responseType="code"
the GoogleAuth.grantOfflineAccess
method sends a request for a token. To check that, open the Network tab in the Google Chrome developer tools and login with your account. Here is an example of a request that the GoogleAuth.grantOfflineAccess
method does:
https://accounts.google.com/o/oauth2/iframerpc?action=issueToken&response_type=token id_token&login_hint=<login-hint>&client_id=<client-id>&origin=http://localhost:3000&scope=openid profile email&ss_domain=http://localhost:3000
And the response is:
{"token_type":"Bearer",
"access_token":"<access-token>",
"scope":"email profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile opened",
"login_hint":"<login-hint>",
"expires_in":3599,
"id_token":"token-id-with-user-info",
"session_state":{"extraQueryParams":{"authuser":"0"}}}
At the same time, the onSuccess
callback receives an object with an authorization code only.
I know it’s not the react-google-login issue, but still, when you set the responseType
to code
you expect the access token to never appear on the client site.
Issue Analytics
- State:
- Created 3 years ago
- Comments:9
Top Results From Across the Web
The Authorization Response - OAuth 2.0 Simplified
Authorization Code Response. If the request is valid and the user grants the authorization request, the authorization server generates an authorization code ......
Read more >Call Your API Using the Authorization Code Flow - Auth0
This tutorial will help you call your own API using the Authorization Code Flow. If you want to learn how the flow works...
Read more >Requesting access tokens and authorization codes
This section explains how to request an access token using the authorization code grant type flow. For an introduction to OAuth 2.0 grant...
Read more >The Authorization Code grant (in excruciating detail) Part 2 of 2
The OAuth server sends the client an authorization code, which looks like ... The auth server processes the refresh token request.
Read more >What is the OAuth 2.0 Authorization Code Grant Type?
The Authorization Code Grant Type is used by both web apps and native apps to get an access token after a user authorizes...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Just checked my assumption with the gapi.auth2.authorize and it returns the authorization code without setting anything to the session storage or making any additional requests. It would be nice to have the ability to use react-google-login for authorization only (yes, I know that the name of the library says “google-login” 😃 )
@sepatin well, my opinion on that is if you need to get the authorization code only then don’t use any libraries and just redirect a user to the Google/Facebook sign-in page.