Search code examples
androidgoogle-oauthgoogle-signin

Are authorizations without sign in allowed?

If I try to request an authorization for the DRIVE_APPDATA scope like this (without a previous sign in):

val authorizationRequest =
    AuthorizationRequest
        .builder()
        .setRequestedScopes(listOf(Scope(DriveScopes.DRIVE_APPDATA)))
        .build()

Identity
    .getAuthorizationClient(context)
    .authorize(authorizationRequest)
    .addOnSuccessListener { authorizationResult ->
        if (authorizationResult.hasResolution()) {
            // access needs to be granted by the user
            val pendingIntent = authorizationResult.pendingIntent
            try {
                startIntentSenderForResult(pendingIntent!!.intentSender, 999, null, 0, 0, 0, null)
            } catch (e: SendIntentException) {
                Log.i("TTTT", "Couldn't start Authorization UI: " + e.localizedMessage)
            }
        } else {
            // access already granted, continue with user action
            Log.i("TTTT", "access already granted")
            // saveToDriveAppFolder(authorizationResult)
        }
    }
    .addOnFailureListener { e -> Log.i("TTTT", "Failed to authorize", e) }

The request seems to work correctly:

  1. It first shows an account picker to select one of the available accounts.
  2. After choosing an account, it shows the authorization dialog for the drive scope.
  3. It authorizes the scope correctly.

But I have a couple of doubts:

  1. Is this truly allowed? The documentation about authorizations doesn't make it clear whether a previous sign in is required or not.
  2. If it is allowed, how do I let the user authorize a different account? Subsequent calls to the authorization request don't show the account picker anymore (it defaults to the already authorized account).
Solution

  • That is correct; being signed-in is not required for authorization (from the authorization point of view; most likely you want your user to be signed into your app using your account management system I suppose). If you call the Identity signOut or its CredentialManager equivalent clearCredentialState, it should prompt the user with account picker again.