Google SSO not asking for scope for just one user (other users OK)
I'm seeing a strange problem with google SSO and one of my users.
I'm requesting the following scopes using the oauth:
const url = oauth2Client.generateAuthUrl({
access_type: 'offline', // we want refresh tokens
scope: ['email'],
state: '{...}', //state object
prompt: 'consent',
hd: 'example.com', // restrict to just our domain
include_granted_scopes: true,
});
For every other user redirected to url, they are given a consent screen after authenticating that looks like this:
EXCEPT for one user. For this user - when they authenticate, there is no consent screen, and they are logged in with the bare minimum scope.
When the user looks at their account security page, they see our webapp as authorized with no scope. I've asked the user to revoke the app permissions and to try logging in again, but the same thing happens. They are logged in with no consent screen and no scope. Again, the strange thing is that it is only occurring for this one user.
The culprit in this case was:
include_granted_scopes: true,
The other users for whom the consent screen was shown had at some time in the past been given the correct scope, and granted permission. Therefore, on any subsequent grant, the consent screen showed the previously granted scopes. The source code, at some point, changed and removed those particular scopes (and thus, we were only left with the email scope as shown in the question.
Interestingly, the email scope does not have to be consented to, and is automatic so it returned the user to our app with that granted scope, having never showed the consent screen to that one user.
Changing the scope to actually include the correct scopes now allows all users to see the consent screen and grant the proper scopes:
const url = oauth2Client.generateAuthUrl({
access_type: 'offline', // we want refresh tokens
scope: ['email',
'https://www.googleapis.com/auth/gmail.readonly',
'https://www.googleapis.com/auth/gmail.labels',
'https://www.googleapis.com/auth/gmail.modify',
],
state: '{...}', //state object
prompt: 'consent',
hd: 'example.com', // restrict to just our domain
include_granted_scopes: true,
});
- New Google place api using google OAuth, ask failed to refresh token
- Access token obtained with 'auth-code' login flow with 'drive.file' scope, later used for picking file and on the server returns "entity not found"
- PHPMailer getOAuth2token response to div
- Google AdWords API authorization raising AdsCommon::Errors::AuthError
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Cross-client Google OAuth: Get auth code on iOS and access token on server
- Google Authenticator available as a public service?
- Google OAuth components must be used within GoogleOAuthProvider
- Access google cloud storage bucket from other project using python
- Django Google log-in/sign up not working even though django-oauth
- How to obtain android app version code using Google Api?
- Problems with ShinyApp and Google authentification, when making Public
- testing google sheet editor addon fails with error 403
- Google API Invalid JWT Signature in SFCC
- Google Classroom iframe, compare login_hint with signed in user
- Origin is "not allowed" for given client ID when origin was added
- Issue when trying to register an app for consent screen in google oauth
- Correct setup for accessing a GSheet published as a webapp via a service account
- How to set up Google OAuth clients to split authorization and token exchange between client and server?
- Get 403 response with the "new" Firebase Cloud Messaging API
- Google OAuth 2.0 Flow Issue (Implicit)
- Unable to fetch access token and refresh token from google OAuth2.0 using the authorized code
- How should I use the id token returned to me by Google after a successful code exchange?
- Google Cloud Platform adding OAuth Client ID says Requested entity already exists
- Gmail API Oauth2 Send from different address
- How to test Google's OAuth granular consent screen for TV & Device Apps
- How to verify google auth token at server side in node js?
- Firebase - Notification push - Oauth2 - 401 invalid authentication credentials - Symfony
- How to specify fields for $plus->people->get('me') call?
- Is there a way to keep oauth2 token for infinite time?