I implemented external oauth2 authentication with Google as the auth provider, and my own application server as a resource provider. Things are working. However, I noticed that almost every hour as a Forge app user, I am promot with
“This app requires additional access to your account. [Configure access] button”
I did more investigation. I think I can confirm this is a Forge bug.
On one hand, I debugged the access_token sent by Forge to external resource provider, I decoded the token at https://oauth2.googleapis.com/tokeninfo?access_token=XXXX . The token has "access_type": "online", which is wrong, it should be offline instead
On the other hand, I used my Google OAuth2 app’s Client ID and Secret to perform manual testing with curl. I could get the refresh_token as well the offline type access_token. My manual testing steps below:
Put this URL into the browser to acquire an authorization code
# Authorization link. Place this in a browser and copy the code that is returned after you accept the scopes.
https://accounts.google.com/o/oauth2/v2/auth?
scope=https://www.googleapis.com/auth/userinfo.email&
access_type=offline&
include_granted_scopes=true&
response_type=code&
state=state_parameter_passthrough_value&
redirect_uri=https%3A//oauth2.example.com/code&
client_id=client_id
# Exchange Authorization code for an access token and a refresh token.
curl \
--request POST \
--data "code=[Authentcation code from authorization link]&client_id=[Application Client Id]&client_secret=[Application Client Secret]&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code" \
https://accounts.google.com/o/oauth2/token