We have OAuth2 on our website, and according to our logs, we redirect users to URL like this:
https://accounts.google.com/o/oauth2/auth?access_type=offline&client_id=xxxx&prompt=consent&redirect_uri=xxxx/callback&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fyoutube.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=Y38pUwFTAqbaHsU6oa4q
The next log entry is redirect callback from Google, which is missing www.googleapis.com/auth/youtube.readonly scope:
https://ourapp.com/oauth2/callback?state=xxxx&code=xxx&scope=email%20profile%20openid%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/userinfo.email&authuser=0&prompt=consent
What may be a reason for this behavior? It happens only to some users, and very inconsistent. I wasn't able to reproduce it by myself.
The application is approved by Google and the scope usage is verified.
For apps that request more than one scope (you are asking for identity scopes email, profile and YouTube), you must be able to handle partial consent where the user may choose on the consent page to not grant access to one or more non-identity scopes.
https://developers.google.com/identity/protocols/oauth2/policies#unbundled-consent
You can encourage your users to grant access to the scope needed by separating the sign-in moment (asking for email, profile) information from the moment of asking for YouTube access. This is called incremental authorization.
You can also tell your users before you redirect to the OAuth flow why you are asking for the data you need to let them make a more informed choice.