We are using the following OAuth login URL for getting an access token from our users:
https://accounts.google.com/o/oauth2/auth?state=14e8d9b8-49c0-498f-b896-02965904737c&client_id={clientId}&response_type=code&redirect_uri={redirect URL}&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fbusiness.manage+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&access_type=offline
This is working fine for most of our users, but for one specific user of ours, we can't get a refresh token.
AFAIK, omitting the access_type=offline query param is a likely case for not receiving a refreshToken, but in our case, we do include it in the URL. Also verified that the oauth flow is working correctly for others.
We did ask the user to remove our application from their google settings's third-party connections page, but the issue persists after that as well.
Edit:
Our code for getting the refreshToken (we are using Spring RestTemplate):
final HashMap<String, String> request = new HashMap<>();
request.put("grant_type", "authorization_code");
request.put("code", authorizationCode);
request.put("client_id", "{clientId}");
request.put("client_secret", "{clientSecret}");
request.put("redirect_uri", "{callbackUrl}");
var response = this.restTemplate.postForEntity("https://oauth2.googleapis.com/token", request, byte[].class);
Adding prompt=consent to the OAuth login URL enforced a full reauth, cleaning out the previous configuration from the user's account settings - and resulting in us receiving the refresh_token as expected.