I want to use native applications and a web server to get refresh tokens to use for some operations (on google drive). Client ids and secrets have been generated for both the native and the web application using the Google developer console.
I'm trying to generate authcodes from the native applications and exchange them from the web server for access/refresh tokens using a script heavily inspired from the java example. The main difference is that there is two GoogleAuthorizationCodeFlow (they represent the native and server parts):
Such procedure does however result into a 401 Unauthorized exception.
When using for both GoogleAuthorizationCodeFlows the same credentials, either the creds of the native application or the web application ones, the process succeed and returns a refresh token.
How can I use the authorization code from a native application on a web application to generate access tokens? Is there a way to use the web application id and secret to exchange the authorization code or must be procedure be finished using the same credentials used for generating the token?
The reason that it is not working is that Authentication is linked to the client id and client secret.
When a user authenticates they are authenticating that client id / client secret pair. You cant just take the Refresh token or the Authentication code and use it with a different client id and secret they wont match and it wont work and you will get a 401 Unauthorized exception.
your on the right track with
How can I use the authorization code from a native application on a web application to generate access tokens?
What you need to do is create Client ID for native application just one and use the client id and client secret for both your native application and your web application.
Web vs Native
The only real difference between a Client ID for native application and a Client ID for web application is the Redirect URI. The Redirect URI just tells the Authentication server where to return the authentication to. In the case of a website that's easy its the web page where you handle the code most of the time this is the same ip address. In the case of a native application there is no way to know this so the server sends the information back to the requesting ip. Beyond that there is really not difference, except maybe that Google likes to know if its a website or a installed application running the code maybe. So you can use a native client id on a web application the server will just return it to where ever it asked.
Security
There are probably some security considerations with using a native one on a web application, I guess someone could potentoaly get a hold of it and send info with your client id. TBH I find the chance of this limited.