Getting valid access tokens (from google)

[TPausL]

I'm building an app where I depend and on third party data (spotify and google) and therefore authenticate to them via ory so that I don't need to implement this by myself. As I can just get the initial_access_token (and refresh_token) it seems I would need to refresh them by myself. That would be possible but is there are way to avoid this? But the main problem is that I don't get a refresh token from google. Am I doing something wrong or isn't that possible. That would render the google integration useless for me.

[vinckr]

Hello @TPausL
are you using this integration: https://www.ory.sh/docs/kratos/social-signin/google ?

Once the user did the initial signup with that provider, Ory Identities exchanges the tokens from e.g. Google for ones created by Ory.

What was the use case for getting the OIDC tokens multiple times?

Are you building a webapp or mobile/native?
See the flows for each here.

[vinckr]

Hey Timo,
I think I am still not understanding something.
Why do you want to make an auth request to Google?
The user is authenticated at your application through Google and you have an ory_session cookie.

But why do you then need to get the users access token from Google?
The user is already authenticated at your application, right?
Are you authenticating the user at Google services/APIs through Ory?

Sorry if I am a bit slow here, but still missing something.

[TPausL]

Yeah the user is authenticated. But I need a working access token, say 2 weeks later, in order to make requests to the youtube api in behalf of the user. And the access token i get from the identity request (with credentials included) is expired than and there is no refresh token.

[TPausL]

Am I missing something or are there information missing you need?

[vinckr]

Hey @TPausL
apologies for the late answer!

You should be able to get the refresh token and use it to get a working access token as documented here:
https://www.ory.sh/docs/kratos/social-signin/get-tokens

The refresh token you get should be long-lived, I am not sure how it exactly plays out with Google.
I will have a look if I find more information for this exact use case.
This feature might also be interesting to you longer-term: ory/kratos#1912

[TPausL]

yeah the problem is that google doesn't provide refresh tokens. I guess I'll just wait for ory/kratos#2428 to be merged