Ok so i have created a Google Login via PHP and OAUTH using the really poor Google doccuments.
So far - I can get people logged in and that side of things seems to be fine. However. After i logout of my site, all my sessions are cleared, then the next time i log in with the google login button it sends me to an authorisation page saying Request Offline access.
So i googled and Overflowed, to find that it is because there is still a valid access token. So then i tried to revoke the token. Then clicked the Google Login button again and then i was again prompted to authorise. This time the same as the first time, email and profile. Better than offline access but seems strange because i have already authorised the app the first time.
Ok so next thought was, store the token in a cookie so when the sessions clear at logout the cookie with the token in it wont clear. Then simply create a rule to say if the cookie is present and the session isnt, make the session value the same as the cookie. This works fine, until the cookie dies or expires. Then the next time, Boom.... autjorise offline access again on the login button click.
In essence it works fine, but the cookie will inevitably expire at some point and i want to iradicate this totally. I can only think i am not understanding the flow properly. I have been using facebook Login for 4 years and thought, hey lets set up the Google one that will only take 5 minutes. Lol im here 24 hours later posting to Stack. :/
Can someone advise me please.
code snippet below;
$gClient = new Google_Client();
$gClient->setApplicationName('*Login to mywebsitehidenfromtheworld*');
$gClient->setClientId($clientId);
$gClient->setClientSecret($clientSecret);
$gClient->setRedirectUri($redirectUrl);
$gClient->setAccessType('online');
$gClient->setApprovalPrompt('auto') ;
$google_oauthV2 = new Google_Oauth2Service($gClient);
if($_COOKIE['*mycookienamehiddenfromtheworld*'] && !$_SESSION['token']){
$_SESSION['token'] = unserialize($_COOKIE['GplusUser']);
}
if($_COOKIE['*mycookienamehiddenfromtheworld*'] && !$_SESSION['token']){
$_SESSION['token'] = unserialize($_COOKIE['GplusUser']);
}
if(isset($_REQUEST['code'])){
$gClient->authenticate();
$_SESSION['token'] = $gClient->getAccessToken();
header('Location: ' . filter_var($redirectUrl, FILTER_SANITIZE_URL));
}
if (isset($_SESSION['token'])) {
$gClient->setAccessToken($_SESSION['token']);
setcookie("*mycookienamehiddenfromtheworld*" ,serialize($_SESSION['token']),
mktime (0, 0, 0, 12, 31, 2020), '/');
}
if ($gClient->getAccessToken()) {
$userProfile = $google_oauthV2->userinfo->get();
$gUser = new UsersGP();
$_SESSION['token'] = $gClient->getAccessToken();
stuff happening here with checking DB etc, then proceeding to member area
(working fine)
} else {
$authUrl = $gClient->createAuthUrl();
}
if(isset($authUrl)) {
echo '<a href="'.$authUrl.'"><img src="images/glogin.png" alt=""/></a>';
} else {
echo '<a href="logout.php?logout">Logout</a>';
}
So to clarify my question;
A: Should a user have to authorize the app every time we need a new access token? i.e if the access token is revoked maually at logout (using below code). Basically if i put this code in my logout script then the next time the user tries to login they have to autorise the app again for email and profile.
unset($_SESSION['token']);
unset($_SESSION['google_data']); //Google session data unset
$gClient->revokeToken();
session_destroy();
If i dont use ths code and go with the cookie method as seen in first block of code, then its fine until the cookie expires or is deleted. Then it goes back to asking for offline access.
B: If the answer to A is no, then what am i missing to prevent this from happenening?
With Facebook Login, its simple, Authorise the app permissions 1 time, then even if a new access token is requested you wont have to re authorise the permissions, unless the permissions have been revoked ofcourse. So with facebook login requesting a new token even if there is an active one does not prompt for any user interation, it just returnsa new one and off you go again. So why is Google different? More to the point what is the correct method to make this work with no need to authorise again?
Thanks in advance
--------Edit I have just found the following but it just seems so strange. Can anyone confirm or deny the following please. specifically this part "If cookie does not exist in browser: application will display 'Have offline access'"
Quote "
This is not an error. This is the normal scenario of google oauth2.
First Process consent as follows:
User consents to the application getting information about the user. When user clicks Accept button, browser will save consent info into cookie and google account will save permission (please view https://security.google.com/settings/security/permissions)
From Second Process:
Browser checks cookie consent permisson of google account.
If cookie exists in browser and has permission for this application (https://security.google.com/settings/security/permissions): consent screen will be ignored If cookie exists in browser but does not have permission for this application: consent screen will be displayed
If cookie does not exist in browser: application will display 'Have offline access'."
I seem to be struggling to make my question crystal clear but this helps, The last part, If the cookie no longer exists... if the token is still active, but the browser doesnt have it, a new instance of $gClient->createAuthUrl(); has be created. Then when that url is parsed, ie the login button clicked, it will present the offline access request. My question is. How can this be avoided?
The quote is from this page The App keeps asking for permission to "Have offline access", why?
