Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Response type "code" sends request for token instead of authorization code

See original GitHub issue

With the responseType="code" the GoogleAuth.grantOfflineAccess method sends a request for a token. To check that, open the Network tab in the Google Chrome developer tools and login with your account. Here is an example of a request that the GoogleAuth.grantOfflineAccess method does:

https://accounts.google.com/o/oauth2/iframerpc?action=issueToken&response_type=token id_token&login_hint=<login-hint>&client_id=<client-id>&origin=http://localhost:3000&scope=openid profile email&ss_domain=http://localhost:3000

And the response is:

{"token_type":"Bearer",
"access_token":"<access-token>",
"scope":"email profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile opened",
"login_hint":"<login-hint>",
"expires_in":3599,
"id_token":"token-id-with-user-info",
"session_state":{"extraQueryParams":{"authuser":"0"}}}

At the same time, the onSuccess callback receives an object with an authorization code only. I know it’s not the react-google-login issue, but still, when you set the responseType to code you expect the access token to never appear on the client site.

Issue Analytics

  • State:open
  • Created 3 years ago
  • Comments:9

github_iconTop GitHub Comments

5reactions
JekRockcommented, Jan 25, 2021

Just checked my assumption with the gapi.auth2.authorize and it returns the authorization code without setting anything to the session storage or making any additional requests. It would be nice to have the ability to use react-google-login for authorization only (yes, I know that the name of the library says “google-login” 😃 )

2reactions
JekRockcommented, Apr 21, 2021

@sepatin well, my opinion on that is if you need to get the authorization code only then don’t use any libraries and just redirect a user to the Google/Facebook sign-in page.

Read more comments on GitHub >

github_iconTop Results From Across the Web

The Authorization Response - OAuth 2.0 Simplified
Authorization Code Response. If the request is valid and the user grants the authorization request, the authorization server generates an authorization code ......
Read more >
Call Your API Using the Authorization Code Flow - Auth0
This tutorial will help you call your own API using the Authorization Code Flow. If you want to learn how the flow works...
Read more >
Requesting access tokens and authorization codes
This section explains how to request an access token using the authorization code grant type flow. For an introduction to OAuth 2.0 grant...
Read more >
The Authorization Code grant (in excruciating detail) Part 2 of 2
The OAuth server sends the client an authorization code, which looks like ... The auth server processes the refresh token request.
Read more >
What is the OAuth 2.0 Authorization Code Grant Type?
The Authorization Code Grant Type is used by both web apps and native apps to get an access token after a user authorizes...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

popup_closed_by_user

Next page

Is there anyway to force an account selection screen on login?