Add ApprovalForce to AuthCodeOptions

* Extract access token validity check to a function

pkg/api/login_oauth.go

@@ -98,7 +98,9 @@ func (hs *HTTPServer) OAuthLogin(ctx *models.ReqContext) {
 	code := ctx.Query("code")
 	if code == "" {
 		// FIXME: access_type is a Google OAuth2 specific thing, consider refactoring this and moving to google_oauth.go
-		opts := []oauth2.AuthCodeOption{oauth2.AccessTypeOffline}
+		// ApprovalForce is required to get the refresh token every time the user logs in with Google OAuth (without this the
+		// refresh token is only provided when the user first gives consent)
+		opts := []oauth2.AuthCodeOption{oauth2.AccessTypeOffline, oauth2.ApprovalForce}
 
 		if provider.UsePKCE {
 			ascii, pkce, err := genPKCECode()

pkg/services/contexthandler/contexthandler.go

@@ -453,7 +453,7 @@ func (h *ContextHandler) initContextWithToken(reqContext *models.ReqContext, org
 		oauthToken, exists, _ := h.oauthTokenService.HasOAuthEntry(ctx, queryResult)
 		if exists {
 			// Skip where the OAuthExpiry is default/zero/unset
-			if !oauthToken.OAuthExpiry.IsZero() && oauthToken.OAuthExpiry.Round(0).Add(-oauthtoken.ExpiryDelta).Before(getTime()) {
+			if h.hasAccessTokenExpired(oauthToken) {
 				reqContext.Logger.Info("access token expired", "userId", query.UserID, "expiry", fmt.Sprintf("%v", oauthToken.OAuthExpiry))
 
 				// If the User doesn't have a refresh_token or refreshing the token was unsuccessful then log out the User and Invalidate the OAuth tokens
@@ -726,3 +726,16 @@ func AuthHTTPHeaderListFromContext(c context.Context) *AuthHTTPHeaderList {
 	}
 	return nil
 }
+
+func (h *ContextHandler) hasAccessTokenExpired(token *models.UserAuth) bool {
+	if token.OAuthExpiry.IsZero() {
+		return false
+	}
+
+	getTime := h.GetTime
+	if getTime == nil {
+		getTime = time.Now
+	}
+
+	return token.OAuthExpiry.Round(0).Add(-oauthtoken.ExpiryDelta).Before(getTime())
+}