Yes, Wesley is right, in the end a refresh_token is not that necessary in this case, it suffices with self-signing a new JWT token with the exp timestamp updated,
thanks! On Wed, Sep 2, 2020 at 3:26 AM wesley chun <[email protected]> wrote: > Hi, I may not be correct in my understanding but believe that refresh > tokens are only used in cases where you're using OAuth2 access tokens for > authorization. Since you're using a self-signed JWT instead of an access > token > <https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth>, > I don't think the useful reference that David linked to applies in your > case (and BTW, this is independent of whether you're using IAP or not). > > Since you're signing the JWT token, can't you simply resign it with an > updated timestamp in your JWT payload (as shown a bit further down on the > page I just linked to above)? (I believe that'll have the same effect of > using a refresh token to get an updated access token.) > > On Tue, Sep 1, 2020 at 2:00 PM 'David (Cloud Platform Support)' via Google > App Engine <[email protected]> wrote: > >> This documentation >> <https://developers.google.com/identity/protocols/oauth2/web-server#offline> >> about refreshing an access token (offline access) using Google's >> authorization server could be helpful. >> >> On Monday, August 31, 2020 at 8:26:25 AM UTC-4 [email protected] wrote: >> >>> I am using IAP to protect a Web API Application. I have enabled a >>> service account to get access to the APIs through an id_token. I am able to >>> obtain an id_token (JWT) by signing a JWT (using the keys of my service >>> account) with the following assertions >>> { >>> "iss": "xx.iam.gserviceaccount.com", >>> "sub": "xx.iam.gserviceaccount.com", >>> "aud": "https://oauth2.googleapis.com/token";, >>> "target_audience": "my_application_client_id", >>> "iat": 1598702078, >>> "exp": 1598705593 >>> } >>> >>> and then Posting to the token service as follows >>> curl --location --request POST 'https://oauth2.googleapis.com/token' \ >>> --header 'Content-Type: application/x-www-form-urlencoded' \ >>> --data-urlencode 'assertion=<JWT obtained at the previous step>’ >>> --data-urlencode >>> 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \ >>> --data-urlencode 'scope=openid’ >>> >>> Now I would like to also obtain a refresh_token and has been impossible. >>> I have tried with *scope=openid offline_access* but no luck. Is >>> *offline_access* implemented in the Google Auth Server? Any other >>> mechanism to obtain a refresh_token? >>> >>> Thank you very much >>> >>> *IOTA Foundation* >>> c/o Nextland >>> Strassburgerstraße 55 >>> 10405 Berlin, Germany >>> >>> Board of Directors: Dominik Schiener, David Sønstebø, Serguei Popov, >>> Navin Ramachandran >>> ID/Foundation No.: 3416/1234/2 (Foundation Register of Berlin) >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google App Engine" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/google-appengine/9687fedb-925a-42ef-9c26-439febdf168fn%40googlegroups.com >> <https://groups.google.com/d/msgid/google-appengine/9687fedb-925a-42ef-9c26-439febdf168fn%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > "A computer never does what you want... only what you tell it." > wesley chun :: @wescpy <http://twitter.com/wescpy> :: Software > Architect & Engineer > Developer Advocate at Google Cloud by day; at night... > Python training & consulting : http://CyberwebConsulting.com > "Core Python" books : http://CorePython.com > Python blog: http://wescpy.blogspot.com > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Google App Engine" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/google-appengine/XJz5lES-TyQ/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/google-appengine/CAB6eaA7w%3DYu9dOZ7ChhgE8Bf9Bb%2BjFxoMTsMbuTuHZ7dURqDrw%40mail.gmail.com > <https://groups.google.com/d/msgid/google-appengine/CAB6eaA7w%3DYu9dOZ7ChhgE8Bf9Bb%2BjFxoMTsMbuTuHZ7dURqDrw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- *IOTA Foundation* c/o Nextland Strassburgerstraße 55 10405 Berlin, Germany Board of Directors: Dominik Schiener, David Sønstebø, Serguei Popov, Navin Ramachandran ID/Foundation No.: 3416/1234/2 (Foundation Register of Berlin) -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/CABcrX6ibkhXhn1R0JUy16vTfoY7CXtqjeRprwNVxVqw2M1_bfA%40mail.gmail.com.
