Google OAuth 2.0 recommends the following oauth
flow:
a hybrid server-side flow where a user authorizes your app on the client side using the JavaScript API client and you send a special one-time authorization code to your server. Your server exchanges this one-time-use code to acquire its own access and refresh tokens from Google for the server to be able to make its own API calls, which can be done while the user is offline.
I am trying to do exactly this but using passport.js
instead. In a normal (entirely server-side) workflow, Passport expects one-time authorization code from Google in a query parameter at the redirect link (for example: /auth/google/redirect
). Hence, I would expect the same redirect endpoint to work if I call it from my client (with the authorization code), instead of Google redirecting it to.
However, when I try to do that, I get the following error from Passport:
TokenError: Bad Request
at Strategy.OAuth2Strategy.parseErrorResponse (node_modules/passport-oauth2/lib/strategy.js:358:12)
at Strategy.OAuth2Strategy._createOAuthError (node_modules/passport-oauth2/lib/strategy.js:405:16)
at node_modules/passport-oauth2/lib/strategy.js:175:45
at node_modules/oauth/lib/oauth2.js:191:18
at passBackControl (node_modules/oauth/lib/oauth2.js:132:9)
at IncomingMessage.<anonymous> (node_modules/oauth/lib/oauth2.js:157:7)
at IncomingMessage.emit (events.js:327:22)
at endReadableNT (_stream_readable.js:1201:12)
at processTicksAndRejections (internal/process/task_queues.js:84:21)
Is it incorrect to expect the code sent from my client-side to work this way? What am I doing wrong?