I'm trying to use google oauth2 api for my login system. It's almost working, users give access to my web application, I read infos and connect users. Issue is, once they leave or change browser, get back on my website they're asked again to give access.
I don't need offline access as I'm not using any API calls other than checking in the user. Anyway I'm stuck and need some help there !
I'm using google php library (https://code.google.com/p/google-api-php-client/wiki/OAuth2) and I even set ApprovalPrompt to auto. Still no luck.
my code:
public function googleLogin()
{
$this->set('connect', "Google login");
$client = new apiClient();
$client->setApprovalPrompt('auto');
$client->setApplicationName("Authentication");
$client->setClientId(G_OAUTH2_APP_ID);
$client->setClientSecret(G_OAUTH2_SECRET);
$client->setRedirectUri(G_REDIRECT_URI);
$client->setDeveloperKey(G_DEV_KEY);
$oauth2 = new apiOauth2Service($client);
if (isset($_GET['code'])) {
$client->authenticate();
$_SESSION['token'] = $client->getAccessToken();
$redirect = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
header('Location: ' . filter_var($redirect, FILTER_SANITIZE_URL));
}
if (isset($_SESSION['token'])) {
$client->setAccessToken($_SESSION['token']);
}
if (isset($_REQUEST['logout'])) {
unset($_SESSION['token']);
$client->revokeToken();
}
//print_r($client->getAccessToken()); exit;
if ($client->getAccessToken()) {
$user = $oauth2->Guserinfo->get();
// These fields are currently filtered through the PHP sanitize filters.
// See http://www.php.net/manual/en/filter.filters.sanitize.php
//$email = filter_var($user['email'], FILTER_SANITIZE_EMAIL);
//$img = filter_var($user['picture'], FILTER_VALIDATE_URL);
// The access token may have been updated lazily.
$_SESSION['token'] = $client->getAccessToken();
//do stuff with user data
$data = $this->linkUser($user, "google");
if ($data['state']=="createUser") {
$this->set("data",$data);
}
} else {
$authUrl = $client->createAuthUrl();
header("Location: " . $authUrl);
}
}
EDIT:
I added the line $client->setAccessType("online");
I don't know yet if this is the only thing I had to do to make it work or if I have a bug between browsers/OS:
Last time I tried on lion/chrome it didn't work but it's okay on w7/firefox. Well this or I'm simply loosing my mind :p
The Google Auth server issued Refresh tokens never expire — that's the whole point of the refresh tokens. The refresh token will expire (or I should say become unauthorized) when the user revokes access to your application.
The access token is set with a reasonably lower expiration time of 30 mins. The refresh token is set with a very long expiration time of 200 days. If the traffic to this API is 10 requests/second, then it can generate as many as 864,000 tokens in a day.
Configure your OAuth Consent ScreenOpen the OAuth consent screen page of the Google APIs console. If prompted, select the project you just created. On the "OAuth consent screen" page, fill out the form and click the “Save” button. Application name: The name of the application asking for consent.
On another question here: Google API - forces to Grant Permission Every time
Someone pointed out you can do this:
$client->setApprovalPrompt('auto');
I had a similar problem that seems to be solved eliminating $client->revokeToken(), moving the logout stuff before the login.
I don't know if avoiding to invalidate the token is a valid idea or not, but it seems to work.
Try with this one:
public function googleLogin()
{
$this->set('connect', "Google login");
$client = new apiClient();
$client->setApprovalPrompt('auto');
$client->setApplicationName("Authentication");
$client->setClientId(G_OAUTH2_APP_ID);
$client->setClientSecret(G_OAUTH2_SECRET);
$client->setRedirectUri(G_REDIRECT_URI);
$client->setDeveloperKey(G_DEV_KEY);
$oauth2 = new apiOauth2Service($client);
// I moved the logout stuff here, without invalidating the token
if (isset($_REQUEST['logout'])) {
unset($_SESSION['token']);
}
if (isset($_GET['code'])) {
$client->authenticate();
$_SESSION['token'] = $client->getAccessToken();
$redirect = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
header('Location: ' . filter_var($redirect, FILTER_SANITIZE_URL));
}
if (isset($_SESSION['token'])) {
$client->setAccessToken($_SESSION['token']);
}
/* // I solved getting this stuf commented
if (isset($_REQUEST['logout'])) {
unset($_SESSION['token']);
$client->revokeToken();
}*/
//print_r($client->getAccessToken()); exit;
if ($client->getAccessToken()) {
$user = $oauth2->Guserinfo->get();
// These fields are currently filtered through the PHP sanitize filters.
// See http://www.php.net/manual/en/filter.filters.sanitize.php
//$email = filter_var($user['email'], FILTER_SANITIZE_EMAIL);
//$img = filter_var($user['picture'], FILTER_VALIDATE_URL);
// The access token may have been updated lazily.
$_SESSION['token'] = $client->getAccessToken();
//do stuff with user data
$data = $this->linkUser($user, "google");
if ($data['state']=="createUser") {
$this->set("data",$data);
}
} else {
$authUrl = $client->createAuthUrl();
header("Location: " . $authUrl);
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With