Update:
I had assumed this was the solution already, but something was still missing. The authorization was valid only for a while and broke with the first attempt to refresh it.
In order to get a token which can be refreshed later the request uri needs an additional parameter &prompt=consent
So it looks like this:
https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/cloud-platform&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&prompt=consent&client_id= yourId