Hybrid Flow (again)

[Scarygami]

There's a (rather common) use-case where you will need the hybrid flow without approvalPrompt: force (and also with immediate: true): Server-side applications that don't need (or already have) offline access, but want to verify/authenticate the user that is making the call.

The user would log-in (without any additional popup if they have logged in in the past), the auth-flow will return a code (even if there is no offline access requested). This code is sent to the server and exchanged for an access token (not necessarily a refresh token) which can be used to determine who made the call and then allow (e.g. session-based) access to certain data/functionalities.
In this case you would use a simple AuthClient on the server-side since you might not have a refresh token.
If you had stored credentials before you could retrieve them based on who authenticated and create a AutoRefreshingAuthClient

In retrospect the easiest/most versatile solution would probably be to include the code as part of AccessCredentials and have all the necessary options on obtainAccessCredentialsViaUserConsent and clientViaUserConsent: {immediate: false, force: false, offline: false}

I understand the desire to keep the methods simple, but having extensively worked with Google auth in other languages I find the approach to call different methods for different use-cases rather confusing as opposed to calling one method (like gapi.auth.authorize) with different parameters.

[kevmoo]

Care to take a look, @mkustermann ?

[mkustermann]

I've merged the PR.

@Scarygami

Thanks for adding the tests :)

I agree that the current implementation is not so ideal. Though, I don't really want to add a code member to AccessCredentials, because it is only present in this particular browser flow -- for all other flows this is not necessary. We could get rid of runHybridFlow/HybridFlowResult and make clientViaUserConsent/obtainAccessCredentialsViaUserConsent return a subclass of AccessCredentials which contains a code. Then we can also add an idToken later on into this subclass, ...

WDYT?

[mkustermann]

I've published the new version on pub.

[Scarygami]

Your suggestion sounds good to me, subclassing AccessCredentials makes a lot more sense than having a separate HybridFlowResult.