[SOLVED] Why am I not getting refresh token from google token endpoint?

Why am I not getting refresh token from google token endpoint?

I have created credentials on google developer console:

one API key (added blogspot API to the key)
one oauth client (consent screen configured)

The oauth client is in test mode (not verified yet), but added some test emails.

I could successfully retrieve an access token with authorization code grant flow, using an authorization url that looks like this (client id, redirect_uri changed):

https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&client_id=1234&redirect_uri=https%3A%2F%example.com%3A4430%2Fauth%2Fgoogle%2Fcallback&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fblogger&state=abcd1234

Most importantly:

access_type=offline
scopes = https://www.googleapis.com/auth/userinfo.email and https://www.googleapis.com/auth/blogger

The token response looks like this:

{
  "access_token": "***",
  "expires_in": 3108,
  "scope": "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/blogger openid",
  "token_type": "Bearer",
  "id_token": "***"
}

Why am I not getting a refresh token from the token endpoint? Even though access_type=offline was specified. I think refresh_token is only provided for the first login, so I I tried to login from incognito mode, but it did not help.

Is it because the oauth client is in test mode? I tried to find information about restrictions of test mode oauth clients, and could not find anything about refresh tokens.

Solution

I believe you'll need

access_type=offline&prompt=consent

like in this answer

As OP commented

In golang goth library, this corresponds to: oauth2.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.ApprovalForce). The name oauth2.ApprovalForce is a bit misleading, it actually adds prompt=consent.