I am using Gmail api and Google Calendar api in my project. I have issue with permission required for these apis.
Requirements: Assume I have not given any king of permission at this point.
If i am using Gmail api then it should ask only gmail related permission.
I i am using Calendar api then it should ask only calendar related permission.
It is working as per my requirement but there is one issue.
Issue: Suppose i have two buttons on same page, one for gmail and other for calendar.
I clicked first on gmail button, it prompts me to login and asks gmail related permissions, but instead of granting permission I cancled it, and clicked calendar button, here it is asking for gmail related permission only, once i refreshed the page, then it will ask for calendar permission.
Question: How can I make my website ask for correct permission without refreshing page.
I am using react-google-login npm.
You should think of your application as a single entity. It should only ask a user to login once.
If your app to run needs both gmail and google calendar permissions then you should be asking for both gmail and google calendar permissions.
That being said it is possible and sometimes worth wild to say request gmail scope and then if the user wants to use say another part of your application which requires calendar scopes to request additional scopes the response from this should contain both the gmail and the calendar permissions but this is still going to require that the authorization window pop up and they consent to it.
Answer: There is no way to request authorization of the user without showing them the consent screen and refreshing the access on your site.
Related
TLDR: I've been struggling with the new Sign in with Google functionality and especially the part how I can let the user stay signed in. What I understand from the docs is that Google only tells "this is a user who would like to sign in" but basically I would still need to create my own backend to track that user.
Note this question is about the new Sign in with Google functionality, all the guides/questions I can seem to find are about legacy sign-in and this is quite well described here:
https://developers.google.com/identity/sign-in/web/server-side-flow
What confuses me most is basically already stated in the beginning of the guide:
https://developers.google.com/identity/gsi/web/guides/overview?hl=en#user_sign-in_to_your_site
You'll manage per user session state for sign-in to your site.
User sign-in status to their Google Account and your app are independent of each other, except during the sign-in moment itself when you know that the user has successfully authenticated and is signed into their Google Account. Users may remain signed-in, sign-out, or switch to a different Google Account while maintaining an active, signed-in session on your website.
I understand the basic principle behind OAuth and the part where you have to exchange the authorization code for an access token and you can verify this access token (which is perfectly described in the legacy guide), but this is now only required for OAuth2 in order to access personal data. If I understand correctly this access token can be used as an identifier for a specific session (as alternative to a password or session cookie).
With the new sign in policy you will only get a JWT which identifies the user. Also apparently the only way to get a JWT is as a response when the user clicks the Sign in with Google button and selects the account in the consent screen (which ideally should only occur once).
What I actually want to achieve is that when a user enters the site I want to send a request "Hey Google this user is visiting my site, do you recognize this session and is it still valid".
Maybe I'm thinking way too difficult, but what I just don't understand is how can the new Google Login actually help me remember and validate users?
After some more digging around I found a lead on this page: https://developers.google.com/identity/gsi/web/guides/migration#object_migration_reference_for_user_sign-in
Basically what I am looking for was provided by the depreciated GoogleAuth.isSignedIn.get() function, but the notes clearly show:
Remove. A user's current sign-in status on Google is unavailable. Users must be signed-in to Google for consent and sign-in moments.
Combined with the prior statement:
You'll manage per user session state for sign-in to your site.
To validate the assumption I did some testing with other web services where I logged in using Google, revoked the log-in access for that website from the Google console and when revisiting that website I was still logged in to the website.
My conclusion:
Google login only verifies the initial login
Google basically responds with "Yes this is a valid user"
I have to keep track of the user session using cookies/databases myself
I have a google login in my app when I try to click on sign in with google I do not see the permission it needs to access
My app uses users contacts and so I have added it to scope in consent screen settings but it do not show any permission. Can someone help me if there is anything else that needs to be configured as I need to verify my app from google
I want permission to display like this(sample image)
Scopes that I am using
this is the api
Lets use the Google Oauth Playground to test a little.
test 1 requesting authorization to Oauth2 scopes.
I am going to select Google contacts really there is not much point in selecting this one using google People api is a much better choice.
And everything under Google People API
This is the consent screen shown me
test two authenticating with open id connect
I am going to only request
Now profile and email are special they are related to Open Id connect, which is out side of the Oauth2 because of that i was not actually shown a consent screen. Because i am Authenticating to Google that this is me logging in.
I am not Authorizing any Oauth2 scopes because none were really requested. Now this make confuse you because by requesting profile you are automatically given access to the users profile data which means that you can access the Google people api and do people/me and get the information about the person.
conclusion
Only Oauth2 scopes appear to the user requesting access. not open id scopes.
After user being logged in with Google OAuth - is it possible to check if later user get logged out from Google?
Scenario:
User logged in in Google
User logged in on mysite.com using Google OAuth, and login state stored in session for 1 year.
User logged out from Google, but forgot to log out from mysite.com
After one week someone stoled user's laptop. Thief won't be able to use Google but will be able to re-use logged in user session on mysite.com
I wonder what are the ways to prevent such situation?
I don't want to put this burden on user - log out him from mysite.com and ask to log in again every day.
Would like instead use something automatic like:
When you logged in with Google OAuth you get some sort of ID
Every day you validate that that original session is still active, by calling something like
google.com/api/is-original-session-still-active?id=ID
Note: I suspect that you have your terminology incorrect i suspect you are using Openid connect and not OAuth2 to sign-in your users. However i will answer this question based upon Oauth2 as that's what you say you are using.
Oauth2
Oauth2 is used to grant an application access to a users data. When using an oauth2 token you are acting on behalf of the user. There is in fact no user interaction when using Oauth2 tokens.
If a user consents to your application accessing their data you will get an access token and a refresh token. Access tokens are good for an hour. Refresh tokens are long lived and will give you access to a users data for as long as the user doesnt remove your consent and that you use it at least every six months.
As Oauth2 is without user interaction there is no way to use it to see if a user is logged into their account. There is actually no Google api that would give you this information. This would IMO be considered privet user information and not something that google should be sharing with third party applications.
Suggestions
You may want to consider some changes to your application.
implement logout everywhere. If the user changes their password then all of the devices they have logged in should automatically need to be re-authenticated.
Your sessions should be good for only a week or two and you should enable sliding.
Tell your users to remove the consent of your application to their data this will also force them to have to relogin.
Specifically to know about user account security events that could impact users of your app if your app is using Sign In With Google, consider registering your app to receive events for Cross Account Protection.
Our app requires Google OAuth2. When a user, with an existing Google account, authenticates with Google then we use a callback to return users to our App. This is what we want.
The issue is, for those users who do not have a Google account we ask them to create a Google account (gmail address) or connect their existing email address to Google. A user who has to follow either of these flows ends up on the "Thanks for creating a Google account page" and not back at our App.
This is supposed to work as you are expecting. There is a continue button on that page and that should bring the user back.
If that is not working, can you tell us more (about OS, client id, urls and the exact steps) or give us a link to test/reproduce? Is this on the web or on mobile app?
I integrated google drive sdk with my ios app. But the problem is when ever i logged out and log in into google drive it was asking me grant the permission every time. How to set asking this permission only once?.
-LOGANATHAN
You need to store a refresh token. When you redirect the user to a google login page, you should add the following parameter access_type=offline, then when you exchange the code for an access token, it will also return a refresh_token. You need to make sure that you store the refresh token because normally you will only receive it the first time the user signs into your application. The process is explained here https://developers.google.com/accounts/docs/OAuth2WebServer#offline