OAuth id_token missing information on refresh
See original GitHub issueI’ve run into an interesting issue (bug?) with Google OAuth/OpenID Connect authentication. While it’s not directly an issue with this project, I think it’s the best place to report it since it has all the related authentication code, which in turn may cause confusion if other people use the authentication code in this project the same way I am. If there’s a better place to report this, please let me know.
My app is a desktop app using the localhost loopback method to receive the authentication code returned from the browser to obtain tokens.
Starting from the beginning, the app launches https://accounts.google.com/o/oauth2/v2/auth
with these query strings:
client_id
redirect_uri=http://localhost:13604/
response_type=code
scope=email openid profile
state
code_challenge_method=S256
code_challenge
login_hint
That works fine, so I get a token using https://www.googleapis.com/oauth2/v4/token
:
code
redirect_uri=http://localhost:13604/
code_verifier
client_id
client_secret
grant_type=authorization_code
Since I provided OpenID scopes, I get an id_token in the response. Looking at the token data, here’s what’s inside:
That all looks good.
Using the refresh_token we got back with id_token, I refresh using https://www.googleapis.com/oauth2/v4/token
:
refresh_token
client_id
client_secret
grant_type=refresh_token
I get this id_token back:
Compare both id_token screenshots. The second one from the refresh is missing most of the identifying information. It appears there is a glitch with Google servers that makes it lose track of the scopes that were specified during the first authorization request. I wasn’t able to figure out a way to reclarify these scopes during the refresh request, which makes sense from a security standpoint, but also reinforces the fact that this may indeed be a server glitch.
This is a significant issue with the seamless login I had in mind. The only workaround right now is to ditch refreshing the token and to go through the full authentication each time. Hopefully the glitch can be addressed by relaying this information to the right person, or another workaround suggested.
Happy new year!🎉
Issue Analytics
- State:
- Created 6 years ago
- Comments:20
Top GitHub Comments
I’ll start asking internally tomorrow - will see where that leads.
I would suggest that it wouldn’t be random, but that the team is unlikely to want to make any guarantees about it.