I have a google login in my app when I try to click on sign in with google I do not see the permission it needs to access
My app uses users contacts and so I have added it to scope in consent screen settings but it do not show any permission. Can someone help me if there is anything else that needs to be configured as I need to verify my app from google
I want permission to display like this(sample image)
Scopes that I am using
this is the api
Lets use the Google Oauth Playground to test a little.
test 1 requesting authorization to Oauth2 scopes.
I am going to select Google contacts really there is not much point in selecting this one using google People api is a much better choice.
And everything under Google People API
This is the consent screen shown me
test two authenticating with open id connect
I am going to only request
Now profile and email are special they are related to Open Id connect, which is out side of the Oauth2 because of that i was not actually shown a consent screen. Because i am Authenticating to Google that this is me logging in.
I am not Authorizing any Oauth2 scopes because none were really requested. Now this make confuse you because by requesting profile you are automatically given access to the users profile data which means that you can access the Google people api and do people/me and get the information about the person.
conclusion
Only Oauth2 scopes appear to the user requesting access. not open id scopes.
Related
I am providing sign in with google functionality on my application. Users are able to successfully login using that but my application is not showing in "Manage third party apps" section of user's google account when they login. So they do not have an option to revoke access for my app. Any ideas on what I am doing wrong here I want my app to be listed in users "Manage third party apps" section when they login successfully.
I think you are miss understanding what third party apps is. You may want to consult Manage third-party apps & services with access to your account
For example, you may download an app that helps you schedule workouts with friends. This app may request access to your Google Calendar and Contacts to suggest times and friends for you to meet up with.
Third party apps use Oauth2 to request your consent for the application to access your data. When you consent to this the application in question is given a token (refresh token) which will allow them to access your data until you revoke that access. They can access this data without you being there. So they could have something running every night to harvest your data. They have access even when you are offline. The way you revoke it is though the security page on your google account.
Sign-in does not grant any access in that manner. For signin to work you the user must be behind the machine when it is running. The application you signed into cant access your data when your offline.
There is no way for you to know which applications you have signed in using your google account. Unless they also requested some Oauth2 consent.
So again sign in is Open IdConnect and does not make it by itself a third party app. They have no access to your data after you are gone. Signin only works when the user is behind the machine.
TLDR: I've been struggling with the new Sign in with Google functionality and especially the part how I can let the user stay signed in. What I understand from the docs is that Google only tells "this is a user who would like to sign in" but basically I would still need to create my own backend to track that user.
Note this question is about the new Sign in with Google functionality, all the guides/questions I can seem to find are about legacy sign-in and this is quite well described here:
https://developers.google.com/identity/sign-in/web/server-side-flow
What confuses me most is basically already stated in the beginning of the guide:
https://developers.google.com/identity/gsi/web/guides/overview?hl=en#user_sign-in_to_your_site
You'll manage per user session state for sign-in to your site.
User sign-in status to their Google Account and your app are independent of each other, except during the sign-in moment itself when you know that the user has successfully authenticated and is signed into their Google Account. Users may remain signed-in, sign-out, or switch to a different Google Account while maintaining an active, signed-in session on your website.
I understand the basic principle behind OAuth and the part where you have to exchange the authorization code for an access token and you can verify this access token (which is perfectly described in the legacy guide), but this is now only required for OAuth2 in order to access personal data. If I understand correctly this access token can be used as an identifier for a specific session (as alternative to a password or session cookie).
With the new sign in policy you will only get a JWT which identifies the user. Also apparently the only way to get a JWT is as a response when the user clicks the Sign in with Google button and selects the account in the consent screen (which ideally should only occur once).
What I actually want to achieve is that when a user enters the site I want to send a request "Hey Google this user is visiting my site, do you recognize this session and is it still valid".
Maybe I'm thinking way too difficult, but what I just don't understand is how can the new Google Login actually help me remember and validate users?
After some more digging around I found a lead on this page: https://developers.google.com/identity/gsi/web/guides/migration#object_migration_reference_for_user_sign-in
Basically what I am looking for was provided by the depreciated GoogleAuth.isSignedIn.get() function, but the notes clearly show:
Remove. A user's current sign-in status on Google is unavailable. Users must be signed-in to Google for consent and sign-in moments.
Combined with the prior statement:
You'll manage per user session state for sign-in to your site.
To validate the assumption I did some testing with other web services where I logged in using Google, revoked the log-in access for that website from the Google console and when revisiting that website I was still logged in to the website.
My conclusion:
Google login only verifies the initial login
Google basically responds with "Yes this is a valid user"
I have to keep track of the user session using cookies/databases myself
I have requested Google to approve sensitive scopes. Until now the application was accessing the basic name and email data. However, the new requested scopes do not show up on the consent screen. Google requires me to share a video with the new OAuth consent screen but I don't have a way to show the new scopes until they update it. What am I doing wrong? I have looked up other questions and resources and did not find any question specific to this problem related to the sensitive scopes.
The scopes that appear on the consent screen are sent by your code in the authorization setup. Adding them to google developer console just tells google you will be using these. Its your code that needs to request them.
If your not seeing them you haven't added the scopes to the authorization request in your code.
Our app requires Google OAuth2. When a user, with an existing Google account, authenticates with Google then we use a callback to return users to our App. This is what we want.
The issue is, for those users who do not have a Google account we ask them to create a Google account (gmail address) or connect their existing email address to Google. A user who has to follow either of these flows ends up on the "Thanks for creating a Google account page" and not back at our App.
This is supposed to work as you are expecting. There is a continue button on that page and that should bring the user back.
If that is not working, can you tell us more (about OS, client id, urls and the exact steps) or give us a link to test/reproduce? Is this on the web or on mobile app?
We are using google oauth2 permitting users to use their existing google accounts to log in to our system.
After being authenticated what is the proper way to manage active user session in our app for ex.
Let's suppose the user has logged in to our system with google account A. Then user logs out/changes google account to account B but not within our app but rather from its gmail. Should we also log him out him from our app???
(which seems to me bizarre and impossible as soon as there should be google API to check that the given user at the given time is logged in to google services).
The only way which seems to me reasonable is to invalidate user session after given timeout and only then we could make user re-pass oauth2 authorization flow.
Thanks in advance for your help.
The access_token or id_token your acquire from the Google OAuth2 Login flow is not coupled with the login sessions in the various Google apps (gmail, plus, ....).
There's no way for your app to know that the the user logged out of his gmail. Your app shouldn't care.
If your web app makes it clear to the user what account has been used to login initially (by displaying a username/picture or other info retrieved from the Google User Info call you should be ok.
Most users will not try to link your web application session with a gmail session for example.