Why does Google OAuth2 re-ask user for permission when i send them to auth url again

Question

With the old google openid, when i sent a user (who had previously opted-in to my app) to the auth url, it would immediately redirect them back to my app.

Now, with OAuth2, the auth url keeps asking the user for permission. I read some of the docs on this, but what I dont get is how this flow i supposed to work:

1. User logs into google via my app and clicks ALLOW for permissions
2. Days later, cookies are cleared, user comes back to my site, clicks "Login to google"
3. User is not asked for permission again and they are immediately logged in.

I think it has something to do with storing the auth token or refresh token in step 1, but in Step 3, I don't know who they are, so how can i match them with the proper auth or refresh token to gain a valid access token.

In my tests, when I send them to the original auth url in step 1, they are asked for permissions again.

EDIT: Found the solution

The google-api puts "approval_prompt=force" by default when creating the auth url.

Answer 1

Yes as you've noted using the approval_prompt=force URL parameter will force showing the auth dialog to the user every single time. By simply removing this URL parameter the user will not be prompted on subsequent auth flows.

There is a slight difference in the response that you will get if you use the server-side flow (response_type=code) and offline access (access_type=offline). The first time the user authorizes you (when he sees the approval screen) or if you force this by using approval_prompt=force then when you exchange the auth code you will be granted a refresh_token and an access_token.

However every time the user is not shown with the approval screen (subsequent auth when not using approval_prompt=force), when exchanging the auth code you will only be granted an access_token, no refresh_token. So if that's the flow you are using and if you want to be able to access the user's data offline you need to make sure that you save the refresh_token locally for future use when you get it the first time.

That is only likely to happen if you request access to another type of data than simply the auth data though (using the OAuth 2 flow you can request access to other data, for instance, Contacts API data, Calendar API data, Drive data, etc...) as, usually, a regular Open ID flow would not need offline access.