Google - use offline access token

[jehiah]

Currently the Google provider uses an online token which expires in 60 minutes. This means that the token is not valid when passed to upstreams for some duration of time, and that it's not possible to refresh the cookie for a new duration (because the token expires and can't be revalidated).

The good news, refreshing a token does ensure that the token is valid. The bad news, with the google provider sessions fail when a refresh is attempted >1hr after cookie set.

[jehiah]

referencing https://developers.google.com/identity/protocols/OAuth2WebServer#offline

[mbland]

Did that change recently? Coulda swore when I first started using the google_auth_proxy that the Google auth page said the app wanted offline access. The API docs don't seem to describe a way to set the expiration manually, but according to this, it seems like it should take six months, not one hour:

https://developers.google.com/identity/protocols/OAuth2#expiration

Still, I think customizing the Google provider shouldn't take too much effort. From the point of view of OauthProxy.ServeHTTP(), the contents of the access_token are opaque; we could encode/decode a refresh_token to/from the same value within the Google provider without rippling changes through most of the rest of the code. We'd have to override GetLoginURL(), and probably add a RefreshToken() method (or update the interface to ValidateToken() to return the validated token string). Only catch is that clients using --pass-access-token will need to know about the concatenated format. Happy to take a stab at it, unless you get to it first.