Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Google OAuth2 re-authorization is missing permissions on the consent page

When I force a user to re-authorize my application a second time, using approval_prompt=force, how can I get Google to show the user the entire list of permissions my app is requesting?

Details:

I have a web application that requests a set of Google API permissions, including access_type=offline. The first time I approve it, it shows the correct consent page, listing all the permissions, which looks like:

first time Google OAuth2 consent page

Later, I send the user back to authorize with Google, with the same parameters. The second time, it only shows "Have offline access":

enter image description here

Why does it not show the users all the permissions? Is there a way to force it to ask the user for all the permissions a second time? Why does it now show "Have offline access" the first time?

Our users find it confusing that our app is not asking for any actual permissions, so I'd rather just show the first approval screen again.

The full parameters for the request I am making are as follows. URL:

https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=1039955146864.apps.googleusercontent.com&redirect_uri=http://localhost:8081/sync/google/callback&response_type=code&scope=openid%20email%20https://www.googleapis.com/auth/admin.directory.group.readonly%20https://www.googleapis.com/auth/admin.directory.group.member.readonly%20https://www.googleapis.com/auth/admin.directory.user.readonly&state=480704597031619284232891277399900450622

Parameters broken out:

access_type:offline
approval_prompt:force
client_id:1039955146864.apps.googleusercontent.com
redirect_uri:http://localhost:8081/sync/google/callback
response_type:code
scope:openid email https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory.group.member.readonly https://www.googleapis.com/auth/admin.directory.user.readonly
state:480704597031619284232891277399900450622
like image 280
Evan Jones Avatar asked Dec 12 '13 22:12

Evan Jones


1 Answers

We launched incremental auth and this is the working as designed.

http://googleplusplatform.blogspot.com/2013/12/google-sign-in-improvements11.html

The idea is if a user has already granted the permissions to an app, there is no need to show the same permissions and ask the user to approve.

If you write your application properly then this situation should not arise. If you request an offline code (refresh token) and store it on your backend, you shouldn't be asking for it again unless if you need to get some new scopes/permissions. You should use the refresh token that you have stored in the future. If you only need the access token when the user is on your site, you can use other flows to request an access token without user seeing an approval page.

like image 55
nvnagr Avatar answered Sep 21 '22 17:09

nvnagr