Google OAuth 2.0 auth code flow with PKCE: refresh token example

[mjustin 23]

This application launches a local web server and requests an access token and a refresh token. After authentication and authorization is done, the tokens are displayed in a web page together with a button, which allows to request a new access token. Full example code is included.

 

Location: https://github.com/michaelJustin/daraja-framework/tree/master/demo/17_google_refresh_token

 

Requirements

• Daraja HTTP Server Framework (https://github.com/michaelJustin/daraja-framework)
• Indy 10.6.3 (https://github.com/IndySockets)
• OpenSSL DLLs for Indy (https://github.com/IndySockets/OpenSSL-Binaries)
• Delphi 2009+

Note: the example code contains the configuration for an existing public Google Cloud App registration. You may configure it to use a different App registration, by modifying the constants in unit MainUnit.

 

Security considerations

• The example code uses response_mode=form_post to receive the access token. Unlike with response_mode=fragment (or query), the browser does not receive the access_token parameter in the redirect request URI. Therefore, the access_token is not accessible within the browser’s memory.
• The example code uses PKCE, which stands for “Proof of Key Code Exchange”, an extension of the OAuth 2.0 protocol that helps prevent code interception attacks.
• The example does not require a client secret. “Don’t use the application secret in a native app or single page app because a client_secret can’t be reliably stored on devices or web pages. It’s required for web apps and web APIs, which can store the client_secret securely on the server side.” (source)