Request offline access for external frontend OAuth redirects (v0.6.8)

rustyconover · claude · rustyconover · commit a0cf462722d7 · 2026-04-03T17:49:52.000-04:00
When return_to is set, add access_type=offline and prompt=consent to the
authorization URL so Google returns a refresh_token. This lets external
frontends (e.g. DuckDB WASM) silently refresh expired id_tokens.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "vgi-rpc"
-version = "0.6.7"
+version = "0.6.8"
 description = "Vector Gateway Interface - RPC framework based on Apache Arrow"
 readme = "README.md"
 requires-python = ">=3.13"
diff --git a/vgi_rpc/http/_oauth_pkce.py b/vgi_rpc/http/_oauth_pkce.py
@@ -719,7 +719,7 @@ def process_response(
         )
 
         # Build authorization URL
-        params = {
+        params: dict[str, str] = {
             "response_type": "code",
             "client_id": self._client_id,
             "redirect_uri": self._redirect_uri,
@@ -728,6 +728,12 @@ def process_response(
             "state": state_nonce,
             "scope": self._scope,
         }
+        # When redirecting to an external frontend, request offline access so
+        # Google returns a refresh_token. DuckDB WASM needs this to silently
+        # refresh expired id_tokens without user interaction.
+        if return_to:
+            params["access_type"] = "offline"
+            params["prompt"] = "consent"
         auth_url = f"{authorization_endpoint}?{urlencode(params)}"
 
         logger.debug("OAuth PKCE redirect to %s (original: %s)", authorization_endpoint, original_url)
