Hi, I may not be correct in my understanding but believe that refresh
tokens are only used in cases where you're using OAuth2 access tokens for
authorization. Since you're using a self-signed JWT instead of an access
token
<https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth>,
I don't think the useful reference that David linked to applies in your
case (and BTW, this is independent of whether you're using IAP or not).

Since you're signing the JWT token, can't you simply resign it with an
updated timestamp in your JWT payload (as shown a bit further down on the
page I just linked to above)? (I believe that'll have the same effect of
using a refresh token to get an updated access token.)

On Tue, Sep 1, 2020 at 2:00 PM 'David (Cloud Platform Support)' via Google
App Engine <google-appengine@googlegroups.com> wrote:

> This documentation
> <https://developers.google.com/identity/protocols/oauth2/web-server#offline>
> about refreshing an access token (offline access) using Google's
> authorization server could be helpful.
>
> On Monday, August 31, 2020 at 8:26:25 AM UTC-4 jose.c...@iota.org wrote:
>
>> I am using IAP to protect a Web API Application. I have enabled a service
>> account to get access to the APIs through an id_token. I am able to obtain
>> an id_token (JWT) by signing a JWT (using the keys of my service account)
>> with the following assertions
>> {
>>  "iss": "xx.iam.gserviceaccount.com",
>>  "sub": "xx.iam.gserviceaccount.com",
>>  "aud": "https://oauth2.googleapis.com/token";,
>>  "target_audience": "my_application_client_id",
>>  "iat": 1598702078,
>>  "exp": 1598705593
>>  }
>>
>> and then Posting to the token service as follows
>> curl --location --request POST 'https://oauth2.googleapis.com/token' \
>> --header 'Content-Type: application/x-www-form-urlencoded' \
>>  --data-urlencode 'assertion=<JWT obtained at the previous step>’
>>  --data-urlencode
>> 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \
>> --data-urlencode 'scope=openid’
>>
>> Now I would like to also obtain a refresh_token and has been impossible.
>> I have tried with *scope=openid offline_access* but no luck. Is
>> *offline_access* implemented in the Google Auth Server? Any other
>> mechanism to obtain a refresh_token?
>>
>> Thank you very much
>>
>> *IOTA Foundation*
>> c/o Nextland
>> Strassburgerstraße 55
>> 10405 Berlin, Germany
>>
>> Board of Directors: Dominik Schiener, David Sønstebø, Serguei Popov,
>> Navin Ramachandran
>> ID/Foundation No.: 3416/1234/2 (Foundation Register of Berlin)
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to google-appengine+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/google-appengine/9687fedb-925a-42ef-9c26-439febdf168fn%40googlegroups.com
> <https://groups.google.com/d/msgid/google-appengine/9687fedb-925a-42ef-9c26-439febdf168fn%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>


-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
"A computer never does what you want... only what you tell it."
    wesley chun :: @wescpy <http://twitter.com/wescpy> :: Software
Architect & Engineer
    Developer Advocate at Google Cloud by day; at night...
    Python training & consulting : http://CyberwebConsulting.com
    "Core Python" books : http://CorePython.com
    Python blog: http://wescpy.blogspot.com

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-appengine/CAB6eaA7w%3DYu9dOZ7ChhgE8Bf9Bb%2BjFxoMTsMbuTuHZ7dURqDrw%40mail.gmail.com.

Reply via email to