openclaw/gogcli
openclaw/gogcli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

docs(auth): clarify testing refresh token expiry

Browse Source
This commit is contained in:
Peter Steinberger 2026-04-28 08:22:58 +01:00
parent 2892765ea3
commit ec3ac8daa5
No known key found for this signature in database
2 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -27,6 +27,7 @@
- Auth: time out Linux D-Bus keyring write operations and report when OAuth completed but saving the refresh token failed, so manual auth no longer looks like a stuck paste when token persistence is blocked. (#130)
- Install docs: document Windows release ZIP/PATH setup and clarify that source builds require the Go version declared in `go.mod`, not Ubuntu 24.04's Go 1.22 package. (#157, #135)
- CI: pin GitHub Actions workflow dependencies to immutable commit SHAs. (#288)
- Auth docs: clarify that consumer Gmail refresh tokens expire after 7 days when the OAuth app remains External + Testing, and that publishing the personal OAuth app is the long-lived-token path. (#121)
- Auth: store Google OIDC `sub` claims with OAuth tokens and migrate matching subject-keyed accounts when a Google email rename is reauthorized. (#504)
- Calendar: display `calendar events` times and JSON local fields in the calendar timezone instead of preserving arbitrary event offsets. (#493)
- Drive/Docs/Sheets/Slides: treat `--out -` as stdout for downloads and exports instead of creating `-`/`-.ext` files; reject `--json --out -` to keep byte streams parseable. (#286)

3
README.md
View File

@ -117,6 +117,7 @@ Before adding an account, create OAuth2 credentials from Google Cloud Console:
If Google returns `accessNotConfigured` or says an API has not been used in the project, enable the API in the same Cloud project that owns your OAuth client JSON, then retry after the enablement propagates.
3. Configure OAuth consent screen: https://console.cloud.google.com/auth/branding
4. If your app is in "Testing", add test users: https://console.cloud.google.com/auth/audience
- Testing-mode refresh tokens expire after 7 days for External apps that request Gmail/Drive/Calendar-style user-data scopes. For a personal consumer Gmail account, publish the OAuth app for long-lived refresh tokens; a small personal/unverified app can still show Google's unverified-app warning and user cap. Staying in Testing means re-authenticating every 7 days.
5. Create OAuth client:
- Go to https://console.cloud.google.com/auth/clients
- Click "Create Client"
@ -624,6 +625,8 @@ Some open source Google CLIs ship a pre-configured OAuth client ID/secret copied
- Your own OAuth Desktop client JSON via `gog auth credentials ...` + `gog auth add ...`
- Google Workspace service accounts with domain-wide delegation (Workspace only)
For consumer Gmail accounts, there is no `gogcli` workaround for Google's OAuth publishing status. If the OAuth app is External + Testing and requests Gmail or other user-data scopes, Google expires the refresh token after 7 days. To avoid weekly re-auth, move the OAuth app to production/published status; for personal use under Google's unverified-app cap, this can still work without shipping a public app. Workspace Internal apps and service-account delegation only help Workspace-owned accounts, not `@gmail.com` mailboxes.
## Commands
Flag aliases: