asp.net mvc - Google OAuth access token expiration in MVC app?

Question

I wrote an MVC app using Google Oauth2 as instructed here: https://developers.google.com/api-client-library/dotnet/guide/aaa_oauth#web_applications

I have an issue with access token expiration. When access token expires, I get the exception when calling Google API: "The access token has expired but we can't refresh it"

The initial authentication is two iterations mechanism:

first iteration AuthorizeAsync returns result with empty Credential, and populated RedirectUri:

So, the authorization url created is this:

https://accounts.google.com/o/oauth2/auth?access_type=offline&response_type=code&client_id=MYCLIENTID&redirect_uri=http:%2F%2Flocalhost%2FHomepage%2FAuthCallback%2FIndexAsync&scope=https:%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar https:%2F%2Fwww.googleapis.com%2Fauth%2Fgmail.readonly&state=http:%2F%2Flocalhost%2FHomepage%2F95419199

Note that access_type=offline is present. So I should get the refresh token back as well (doesn't happen).

second iteration - AuthorizeAsync returns result with populated Credential and empty RedirectUri:

Question1 - is RefreshToken supposed to be null at this moment?

The result is remembered, since it's defined as static.

Next request that comes in - the Calendar action that requires result.Credential to call Google Calendar API:

Question2 - if access token expires by that moment (for testing I just set ExpiresInSeconds = 0), I call RefreshTokenAsync method, but it always returns false! Why? What am I missing here?

And what would be the right way to handle when RefreshTokenAsync returns false? Current RedirectResult(result.RedirectUri) command will fail since result.RedirectUri is null.

Answer 1

Oh, I finally got it :) For those who interested - refresh token is only issued once, when you get that Consent screen, where you have to click Yes.

So, in order to get refresh token, go to your account setting, Account Permissions: https://security.google.com/settings/security/permissions

and revoke access for the project you configured in Google Developers Console: https://console.developers.google.com/project

Now, put a breakpoint on the next line after you call AuthorizeAsync, restart your application in Debug mode, get that consent screen asking for permissions, click Accept.

The app will return to VS and will stop on your break point.

Now, record somewhere the result.Credential.Token.RefreshToken value, it's an encrypted string.

I placed my in web.config appsetting for simplicity.

Now, I just assign that value back to result.Credential.Token.RefreshToken = refreshToken;

and every time, when access token expires, it will automatically refresh it.

Like here when I call GmailService request.Execute(...) passing the credential object that contains the token, the token will be refreshed.