I'm developing a google assistant app, and I have implemented a google sign in with oauth2 code flow.
The thing here is that the assistant is supposed to refresh the access token automagically as stated here. The issue is that whenever my access token expires, I'm asked to link my account and "sign in" again instead of just refreshing the access token.
As you can see en number 1, I previously gave authorization to see me profile, it even greeted me by my name. After an hour or so, the Link to Google button is presented.
When I press the Link to Google button, I'm sent to to a chrome tab, but I don't need to press any button to grant permissions again, it rapidly shows a signing message and goes to google.com as soon as it finishes.
Related
I've implemented the Google SignIn code with authentication to access Google Drive and have a sign out button with the following recommended code from Google:
GIDSignIn.sharedInstance().signOut()
However, every time after the first time I run the app, the signIn process no longer asks me for my password.
If I sign in and then press the my sign out button, the next time I press the sign in button I am prompted for a google account and then prompted to allow access to Google drive.
If I sign in and then quit the app without pressing the sign out button, the next time I press the sign in button I receive no prompts and am logged in completely.
This behavior appears to be consistent with Google's statement regarding their quick start code (https://developers.google.com/drive/v3/web/quickstart/ios?ver=swift):
"Authorization information is stored in your Keychain, so subsequent executions will not prompt for authorization."
That is the GIDSignIn.sharedInstance().signOut() sign out command appears to work on Google's end (have to pick a Google account and allow Google drive access on the next login), but not on the iOS end as it appears that iOS has saved the password (presumably in the keychain) and always gives it to Google when I sign in after the first time.
I saw the post for Google Sign Out iOS where Birendra had recommended trying
[GTMOAuth2ViewControllerTouch removeAuthFromKeychainForName:kKeychainItemName];
to remove the password from the iOS Device's keychain.
I have not had any luck finding out how to use that suggestion. Can someone explain how to remove the password information that the user entered using Google SignIn? (Assuming this is what needs to be done to completely log out the user). I'm using Swift.
Normally having the keychain remember the password for Google wouldn't be a problem, but this is an app to collect research data. The subjects will be using their own iOS device (iPhone) and log into the lab's Google account, so we don't want that password to stay in their keychain.
Help is appreciated.
As of the time of this post, you can use the following:
Swift 5
GIDSignIn.sharedInstance()?.disconnect()
Disconnects the current user from the app and revokes previous
authentication. If the operation succeeds, the OAuth 2.0 token is also
removed from keychain.
Short description:
If a user has already granted my application OAuth access to their google profile, I want to spare them of having to press "sign in using google" button every time they land on my home page and log them in automatically.
If user has not granted access yet, I want to present them with sign in options page with "sign in using google" button.
Long description:
I am implementing Google OAuth flow as described on this link:
Using OAuth 2.0 for Web Server Applications
Just for the clarity, the flow in question is as follows:
present (client side) user with "sign in using google" button
after user presses the button, redirect them to google's OAuth 2.0 server, where they allow/deny my application to access their google profile
if user allows access, google redirects them back to my application
my application (server side) uses acquired grant to get access token
my application (server side) access user's profile using acquired access token
I want to achieve the following:
If user has already allowed my application access to their google profile before (either on current computer or some other), I want them to have an impression of being signed in to my application (using google) immediately after they navigate to my application's URL. Without having to click anything.
This is at first glance not a problem. To achieve this, I would automate steps 1 and 2 of the flow described above. User would be redirected to google oauth server automatically - without having to press "sign in using google" button - right after they navigates to application's URL. Google in turn immediately redirects user back to my application with a valid grant (again without requiring any input from the user). The rest remains the same. User would have an impression of being logged in immediately .
This approach has a problem though. If user goes to my page for the first time (not having granted my application access before), they would also be redirected to google OAuth page. But since they haven't granted access yet, and didn't press any sing in button, they would and end up staring at google oauth server page confused having no clue, what is going on.
Is there some API, by which I can detect that user has not yet granted access to my app (and I should present him with sing in button first)?
Please, if your solution would involve some API calls, point me to a HTTP/REST API, as I don't use (and do not want use) any higher level OAuth library.
Thanks.
Add "prompt=none" parameter to your initial OAuth redirect. This way google will not block if user has not logged in or has not granted your app the permissions.
See Chapter 3.1.2.1 of http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
Short summary of other possible "prompt" values:
none - will not prompt anything, redirects back with error "login_required" or "interaction_required" if silent login is not possible.
login - force the login prompt, even when user is logged-in.
consent - force the consent prompt, even if user has provided consent in the past.
select_account - present account selection prompt.
Sometimes when a user logins into a site with Google's OAuth 2.0 they choose the wrong account to login with. Normally this isn't a problem if the user has more than one account registered with the browser, google will automatically show the user select screen:
But if a user has only one account and is logged in, this screen is skipped. Instead I need Google's sign in panel to always appear, so that I can be sure the user has the option to try and enter the correct account. I tried using approval_prompt = "force", but that forces the acceptance of permissions rather than simply showing the login page.
How can I force Google's OAuth 2.0 to always show the login screen?
(and never automatically skip it)
Add the parameter prompt=select_account to your authorization request.
This will cause the account chooser to always be shown, even if the user is only logged in to one account. Users will be able to select from their accounts, or add a new one.
For example: https://accounts.google.com/o/oauth2/auth?redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&response_type=code&client_id=407408718192.apps.googleusercontent.com&scope=profile+email&access_type=offline&prompt=select_account
I am using Cordova 3.4.0 along with the official facebook connect plugin link
The issue is that every time user opens the application. He/She has to press login and then it shows the "App already authorized screen" before the user is able to perform any action. How to prevent this addition of an action in the user flow?
I read that it is basically because the access token isn't stored by the plugin. As a result this action needs to be taken again and again. So I have now stored access token using localstorage but unfortunately don't know how to go about using it.
FB.api('/me/friends?access_token="+access_token+"', { fields: 'id, name, picture' },
Using it in the manner above results in an error saying invalid oAuth access token. Even though I placed an alert before this line to ensure that access_token had a valid value. Any help in this regard would be highly appreciate.
Just to rephrase I don't want the user to be asked to press login button every time they open the application.
I have a website where I use Oauth to log users into Gmail, and then retrieve their contacts and other info. What do I need to do to ensure that when the user logs-off my website, he automatically logs out from Gmail too?
As far as I know, there is no logout in OAuth. You simply stop sending tokens between your application and Gmail.
This may be a shortcoming of the 3-legged OAuth flow. The user must sign into their account to provide consent, but once they provide the consent, the OAuth flow takes them away from Gmail. Since users are in a different mind-set when signing in to provide consent vs. signing in to send/check email, they may not realize that they remain signed in after the user flow returns to the OAuth consumer.
I have this issue with Gmail as well as Yahoo and WindowsLive.
In the absence of a standard, I'm considering modifying the user experience on my site to make it more obvious to the the user that they remain signed into their Gmail account and will remain so until they actively sign out. My best option at this point is to add a 'sign out' link beside the Gmail icon on my site. This 'sign out' link will launch (yet) another popup to navigate to the Gmail/Yahoo/WindowsLive Sign Out page.
I'm not in love with this approach, it would be better if my 'sign out' link could sign the user out without requiring a popup window. IE my application would sign out on behalf of the user by hitting an OAuth sign out endpoint.
A less explicit approach would be to load the gmail logout page (https://mail.google.com/mail/u/0/?logout&hl=en) in a hidden iframe on my site, when the user clicks on my 'sign out' link. This would have the UX I'm after.
Unfortunately, opening an iframe will no longer work in newer browsers.
Google has started blocking requests coming from an iframe (except for the youtube embed iframes and any other officially supported ones)
http://groups.google.com/group/youtube-api/browse_thread/thread/2d2236731672a098
I had to do a terrible kludge of popping up a window, posting "action_logout" to www.youtube.com (thats where i wanted to log out from), and then closing that popped up window.
Not terribly happy with it, but seems to be the only solution so far.