Its preferable to only request offline access when strictly necessary. Users will be less likely to use applications that request offline access.
I see how to use online access for something like login that requires a user to click a button. Just set approval_prompt=auto and leave everything else alone.
But what if I have a page where I'd like to have a pane that:
- if the user has already approved us has a widget that displays google contacts (for example)
- otherwise has a button labeled "allow this app to access my google contacts".
The first time the user clicks the button we get an access token and can populate the pane with the contacts data after making an api request. But what if the user navigates away and eventually the access token times out? When the user comes back to the page they should not have to click the "allow this app..." button again since they've already approved our app. So that means we need to acquire a new access token.
One way to do this is to have the page serve a redirect to google oauth2 with approval_prompt=auto if we know the user has approved us in the past. We get a fresh token every time the user views the page. But the problem comes if the user at some point disallows our application's access. In this scenario we should not automatically redirect them to google oauth2, that's awkward UX. They disallowed us, so we should show them the pane with the "allow this app..." button instead of a google page asking for permission again.
This could be solved if there was an API call to determine the current scopes we've been approved for by a given user. We could check if they have disallowed us an not serve the redirect in that case. In other words we need an operation "Will this oauth2 request auto approve?" I haven't been able to find such an operation in the docs, but maybe it exists.
I hope the above is clear. If not I can try again.