Obtaining refresh_token through offline_access scope to be used with IAP

[José Cantera]

I am using IAP to protect a Web API Application. I have enabled a service account to get access to the APIs through an id_token. I am able to obtain an id_token (JWT) by signing a JWT (using the keys of my service account) with the following assertions

{

 "iss": "xx.iam.gserviceaccount.com", 

 "sub": "xx.iam.gserviceaccount.com", 

 "aud": "https://oauth2.googleapis.com/token", 

 "target_audience": "my_application_client_id", 

 "iat": 1598702078, 

 "exp": 1598705593

 }

and then Posting to the token service as follows

curl --location --request POST 'https://oauth2.googleapis.com/token' \ 

--header 'Content-Type: application/x-www-form-urlencoded' \

 --data-urlencode 'assertion=<JWT obtained at the previous step>’

 --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \ 

--data-urlencode 'scope=openid’

Now I would like to also obtain a refresh_token and has been impossible. I have tried with scope=openid offline_access but no luck. Is offline_access implemented in the Google Auth Server? Any other mechanism to obtain a refresh_token?

Thank you very much

IOTA Foundation

c/o Nextland

Strassburgerstraße 55

10405 Berlin, Germany

Board of Directors: Dominik Schiener, David Sønstebø, Serguei Popov, Navin Ramachandran

ID/Foundation No.: 3416/1234/2 (Foundation Register of Berlin)

[David (Cloud Platform Support)]

This documentation about refreshing an access token (offline access) using Google's authorization server could be helpful. 

[wesley c]

Hi, I may not be correct in my understanding but believe that refresh tokens are only used in cases where you're using OAuth2 access tokens for authorization. Since you're using a self-signed JWT instead of an access token, I don't think the useful reference that David linked to applies in your case (and BTW, this is independent of whether you're using IAP or not).

Since you're signing the JWT token, can't you simply resign it with an updated timestamp in your JWT payload (as shown a bit further down on the page I just linked to above)? (I believe that'll have the same effect of using a refresh token to get an updated access token.)

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/9687fedb-925a-42ef-9c26-439febdf168fn%40googlegroups.com.

--

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
"A computer never does what you want... only what you tell it."
    wesley chun :: @wescpy :: Software Architect & Engineer
    Developer Advocate at Google Cloud by day; at night...

    Python training & consulting : http://CyberwebConsulting.com
    "Core Python" books : http://CorePython.com
    Python blog: http://wescpy.blogspot.com

[José Cantera]

Yes, Wesley is right, in the end a refresh_token is not that necessary in this case, it suffices with self-signing a new JWT token with the exp timestamp updated,

thanks!

You received this message because you are subscribed to a topic in the Google Groups "Google App Engine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-appengine/XJz5lES-TyQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-appengi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/CAB6eaA7w%3DYu9dOZ7ChhgE8Bf9Bb%2BjFxoMTsMbuTuHZ7dURqDrw%40mail.gmail.com.

[wesley c]

That's great to hear José. I'm a bit new to using JWT tokens myself (having only used OAuth2 access & refresh tokens) when talking to Google APIs. One big advantage to JWT tokens is that you save API calls to both exchange a JWT for an access token as well as your case of needing to send a refresh token to get a new/valid access token. Cheers!

To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/CABcrX6ibkhXhn1R0JUy16vTfoY7CXtqjeRprwNVxVqw2M1_bfA%40mail.gmail.com.