any way to auto-refresh Google login token from accounts-google?

[Ken Yee]

I'm trying to use the user object's Google login accesstoken and it works great if it's not soon after you log in, but it expires within a day.
Is there a way in the accounts-oauth system to autorefresh this token when users use the meteor app?
This seems like a security issue as well...if users revoke access to the app via their Google account, you stay logged into Meteor's login system (seems the other oauth logins like Twitter and Facebook would hit the same issue).

Alternative is to force users to log in every day by setting the Meteor's accounts token expiration value to something short as well, but I don't see any Accounts.config option to use to do this...

[Ken Yee]

ok...after a deep dig into the Issues list, apparently, there is supposed to be a wrapper to refresh the accesstoken, but it hasn't been finished or merged into a Meteor release yet.

The Facebook one is also related, but it should be part of the oauth2 package IMHO.  Every oauth service could conceivably do this.

Here are the relevant open issues:
https://github.com/meteor/meteor/pull/522
https://github.com/meteor/meteor/issues/444

In the meantime, you can do a Meteor HTTP POST to refresh it manually if needed by doing this:
  https://developers.google.com/accounts/docs/OAuth2WebServer#refresh
but the access token has to be updated in the user.services['google'] array so this is a pretty low level workaround :-P

[Ken Yee]

And I was wrong about how quickly the Google access token expires...it only lasts one hour, not one day...

[Gabriel Pugliese]

Facebook refresh is working for me. Haven't tried Google one.

-- Gabriel Pugliese @gabrielsapo

+55 11 9-9374-2720 http://www.blogcloud.com.br

On Fri, Mar 29, 2013 at 5:37 PM, Ken Yee <ken...@gmail.com> wrote:

And I was wrong about how quickly the Google access token expires...it only lasts one hour, not one day...

--
You received this message because you are subscribed to the Google Groups "meteor-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meteor-talk...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Ken Yee]

On Friday, March 29, 2013 4:54:45 PM UTC-4, Gabriel Pugliese wrote:

Facebook refresh is working for me. Haven't tried Google one.

How do you use the Facebook token?

I'm actually using the Google access token on other Google APIs...not just for logging into Meteor...
 

 

[Gabriel Pugliese]

Here's a gist:

https://gist.github.com/gabrielhpugliese/5052452

-- Gabriel Pugliese @gabrielsapo

+55 11 9-9374-2720 http://www.blogcloud.com.br

 

--

[Ken Yee]

On Friday, March 29, 2013 8:32:33 PM UTC-4, Gabriel Pugliese wrote:

Here's a gist:

https://gist.github.com/gabrielhpugliese/5052452

Hi Gabriel,

You're accessing the FB API w/ the accesstoken in that gist.

FYI, the accesstoken generally expires after a while (part of the OAuth2 spec).  You then have use the refresh token to get a new access token...My comment was that Meteor doesn't automatically do this refresh...

 

[Gabriel Pugliese]

Meteor automatically refreshes FB token in my apps. I don't know other apps.

-- Gabriel Pugliese @gabrielsapo

+55 11 9-9374-2720 http://www.blogcloud.com.br

 

--

[Avital Oliver]

Ken,

A while back a Pull Request was filed to address this: https://github.com/meteor/meteor/pull/522. I dropped the ball on it and it seems that it's gone stale. Would you be interested in taking a look at it, and bringing it up-to-date (perhaps by filing a new PR?) If not, I'd appreciate if you post a comment on the thread as well. I'll try to take a look at it as well.

[iwoj]

++

This is an important feature for any app that wants to run continuously for more than an hour.

[edw...@teachable.co.uk]

I agree this is an important feature.  Currently Meteor Google accounts package doesn't even store the refresh token, so there is no way to update the access token without separate low-level Oauth integration.

[Gabriel Pugliese]

It does store the refresh token. Google only sends the refresh token on the first login. If you have erased the db, you must go into your account settings and de-authorize the app and then re-login into application.

Gabriel Pugliese
CodersTV.com
@coderstv

[edw...@teachable.co.uk]

I've tried a few times to de-authorize the app, reset the database, and then login again and I don't see any refresh token stored under user.services.google.  Is that where I should be seeing it?

[edw...@teachable.co.uk]

OK for future reference I found this problem was actually solved a year ago, but it is not documented in Meteor!

You have to change the loginWithGoogle parameters to request offline access and ask the refresh token to be stored:

Meteor.loginWithGoogle({

      requestPermissions: "openid email https://www.googleapis.com/auth/drive",

      requestOfflineToken: true

      // ,forceApprovalPrompt: true

[Avital Oliver]

It is documented! http://docs.meteor.com/#meteor_loginwithexternalservice

For more options, visit https://groups.google.com/d/optout.

[Gabriel Pugliese]

LOL :P

Gabriel Pugliese
CodersTV.com
@coderstv