I noticed that a lot of apps that I use (Pokemon GO, CityMapper, Booking.com and many others) Don't display consent screen when using google sign-in, however our app always displays it to all users.
The scopes we are requesting are: email, profile, openid according to consent screen settings (https://console.cloud.google.com/apis/credentials/consent)
But in code we only request email scope. I also noticed that I cannot remove them from Google developer console consent tab
How can I make sure that consent screen is not shown?
The code we use is as simple as that:
GoogleSignInOptions gso = new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
.requestEmail()
.build();
Just wanted to add that it's absolutely not clear from any of google docs on what makes consent screen show up or not
Thanks to #steven-soneff above, the reason why my consent screen was shown is that I was requesting offline access from google oauth api
Related
I noticed that the Google OAuth consent screen shows different information in development versus production.
Development Google OAuth Consent Screen
The path for the development environment before we are redirected to the Google OAuth Consent Screen is as follows:
http://localhost/tips-and-trips-by-sham/google_calendar_add_event/
The path for the development environment for the Google OAuth Consent Screen is as follows:
https://accounts.google.com/signin/oauth/oauthchooseaccount?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar&redirect_uri=http%3A%2F%2Flocalhost%2Fgoogle_calendar_add_event_php%2Fgoogle_calendar_event_sync.php&response_type=code&client_id=179430523214-h7u06vpoj31hec4vpbn2sust7c8ltkee.apps.googleusercontent.com&access_type=offline&service=lso&o2v=1&flowName=GeneralOAuthFlow
Production Google OAuth Consent Screen
The path for the production environment before we are redirected to the Google OAuth Consent Screen is as follows:
https://shaynhacker.com/clients/travel/travel/google_calendar_add_event/
The path for the production environment for the Google OAuth Consent Screen is as follows:
https://accounts.google.com/signin/oauth/oauthchooseaccount?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar&redirect_uri=https%3A%2F%2Fshaynhacker.com%2Fclients%2Ftravel%2Ftravel%2Fgoogle_calendar_add_event%2Fgoogle_calendar_event_sync.php&response_type=code&client_id=179430523214-h7u06vpoj31hec4vpbn2sust7c8ltkee.apps.googleusercontent.com&access_type=offline&service=lso&o2v=1&flowName=GeneralOAuthFlow
Now, the information shown on the Google OAuth Consent Screen in the development environment is what I want to be shown in the production environment which is Trips & Tips By Sham and not my email address.
I followed the instructions on the relevant Google page https://console.cloud.google.com/apis/credentials/consent?project=rich-store-372122 but to no avail.
The instructions here did not meet my needs because it's showing my personal email address instead of the title I gave on that page which is Trips & Tips By Sham in the production environment.
Consent Screen Configuration/Consent Screen Details
After checking the documentation related to the Consent screen it seems that the display name and logo for a in production app are subject to the verification status of your application as shown here:
Since the problem with your application seems to be with the one in production I would suggest checking if your app needs to complete verification, if so, you can perform verification of the app following this documentation, once again the behavior seems to be expected according to this information:
I've created a project on google console.
I need to get access to Drive API, so I need to configure OAuth2 settings.
It's requesting me for three kinds of information:
Credentials: I got it. I need the client ID and client secret in order to google identify my client.
Consent screen: I don't quite figure out what's that for. Is it the screen that appears when a user grants consent to application to act as behalf of him?
Domain verification: What??
When I'm creating consent screen, google is requesting me these fields (some of them are required).
I'm just creating an service for tasting Drive API. I mean, I don't have any authorized domain, homepage, policy or terms of services links. I just want to play around.
Also, google is telling me consent screen has to be verified:
Any lights please?
I implement G+ sign-in function in my site, document here. The problem is google show sign-in dialog by popup. This way make my site break in iOS if I bookmark it home screen. It cannot close the popup. Does it has some options to open sign-in by another way?
There is another way, but it's slightly more complicated.
You can follow the instructions in the Google OpenID Connect documentation. Broadly, it involves directing the user to an authorization endpoint from which you get back a code. You then exchange that code at the token endpoint for access, ID, and refresh tokens.
The best way to learn how this flow works in an interactive way is using the OAuth Playground. Try entering profile email openid in the "input your own scopes" box, then tap Authorize APIs. Here's an example auth URL.
The docs for verifying the ID Token detail how to use the ID Token to authenticate the user, by extracting the sub value.
We are implementing Google Oauth2.0 Single Sign On with our applications. We have Web application, windows desktop app, Adroid app, iPhone app.
From our applications(windows app/mobile app) when user tries to login we use below flow:
1) We get URL(https://accounts.google.com/o/oauth2/auth?client_id=XXXXXXXXXXXXXXXXXXXXXXXXXXXX&response_type=code&scope=openid%20profile%20email&redirect_uri=urn:ietf:wg:oauth:2.0:oob&login_hint=myemail#gmail.com) from our API which redirect user to Google login screen
2) After authentication:
a) On first login it display consent screen with scopes(View your email address/View your basic info/Know who you are on Google) mentioned in above URL.
b) On subsequent login it display consent screen with scope (Have offline access).
3) Then Google return us a code in page title which we use for our authentication and then we allow user to access our application.
When we are using Same flow in Web application it won't ask Offline access scope screen for subsequent logins but in Desktop app/Mobile app for all the subsequent login it ask "Have offline access" scope screen.
How can I avoid scope (Have offline access) screen for subsequent login?
Please suggest.
FYI
1) I have tried approval_prompt, access_type but no change in nature.
2) We are not storing any refresh token after first authentication.
All of the authentication features I see for the Instagram API make the user "allow access" to your app by redirecting them. I have seen several apps that let the user login directly, can someone please enlighten me on how they are doing this?
If the app uses Instagram's authentication, it first redirects to instagram login page and you have to enter username/password, and then it will show a page to allow access, after this it will redirect to the application.
But some apps directly ask for username/password from their UI, these apps store your password, and use it to authenticate using a automated devices running Instagram, so they can post pictures on your behalf, the reason they do this is cause there is no API for posting pic, the only way apps can post pics is by collecting username/password and then posting pics using automated devices. This is risky, never give your username/password. Doing this is against the terms and condition. Only login if the login screen looks like Instagram login page.