I just wanted to check my understanding here.
When I log into some applications e.g. Dropbox with my Google account, I get a consent dialog:
I can then revoke access in my Google account as I would expect.
However, when I sign into other apps e.g. SoundCloud, I don't get a consent dialog at all, it just takes me straight in. Neither does SoundCloud appear in my list of revocable apps in my Google account.
I am presuming that this is because SoundCloud does not require any information or rights with respect to my Google Account and therefore no consent is required. That is, all it requires is authentication, which does not require consent (presumably because entering your credentials is considered consent enough for this purpose).
I just wanted to confirm that I am correct in my assumptions.
You have found the answer to your question.
If you check Dropbox's login request, it contains a special scope value https://www.google.com/m8/feeds which stands for Mange your contacts (reference).
Dropbox scope parameter - scope=https://www.google.com/m8/feeds+email+profile
But if you check the same with SoundCloud, you only see profile specific scopes such as email profile openid
Soundcloud scope parameter - scope=email profile openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/plus.me
So yes, you get the consent page because of the special scope present in Dropbox authorization request. And consent page matches with scope value.
Further read this blog on default scopes and special scopes.
p.s - You can monitor these scope values with browser debugger. You must enable debugger for popups and navigations to see them. I used chrome to extract those values.
Related
Originally, I believe the OAuth consent screen would allow the user to uncheck certain scopes they didn't want the requesting app to have access to (ie. the user could decide not to give the app permission to use phone_number). Google would then send user on their way to the App with whatever access scopes the user consented to. If the app absolutely required that permission then it would be the responsibility of the app to inform the user of this.
Now (I'm not sure when this changed) it seems the user is no longer given the option to deselect a requested scope. They can only allow it or be stuck on the consent screen.
Is this appropriate behavior according to the OAuth spec? To me it shouldn't be the responsibility of the resource owner to halt consent entirely due to the user denying a certain requested scope. This seems to be a Google bug, correct?
To be clear, I am working to make my app only request the scopes it absolutely requires. But I don't think that this change should be absolutely necessary.
I've created a project on google console.
I need to get access to Drive API, so I need to configure OAuth2 settings.
It's requesting me for three kinds of information:
Credentials: I got it. I need the client ID and client secret in order to google identify my client.
Consent screen: I don't quite figure out what's that for. Is it the screen that appears when a user grants consent to application to act as behalf of him?
Domain verification: What??
When I'm creating consent screen, google is requesting me these fields (some of them are required).
I'm just creating an service for tasting Drive API. I mean, I don't have any authorized domain, homepage, policy or terms of services links. I just want to play around.
Also, google is telling me consent screen has to be verified:
Any lights please?
We are setting up an "app" in Google Cloud Console for the sole purpose of single sign on - letting users sign into a WordPress site and a Moodle site using their Google accounts.
When setting up the "Oauth Consent Screen" - there is a "Submit for Verification" button which is disabled (grayed out). The verification Status is "not published".
The question: does it need to be verified? The documentation, such as there is, hints darkly at various limitations if it is not. Yet, there appears to be no path to get it verified.
It "works" in testing for allowing log in with Google account, but the organization has a large number of users. Are we going to hit limits if we go live with it?
We haven't added any scopes. Do we need to, just to get the ability to get it verified? It "works" in testing, without having added any scopes.
Any insight is welcome on how to get this app verified - or as whether we need to have it verified (maybe it can't be verified because it doesn't need to be?).
How can I get an authentication token without requiring an Office365 user to sign in? (sign in again, that is - assume the user is signed into Onenote with OneDrive) I would like to create a Onenote plugin utilising semi-new API features for teachers (here).
Microsoft released a plugin early on in their branch of Onenote schools support that added basic buttons as a Onenote toolbar but they only lead to the online interface. I'm under the impression it then isn't possible to get a token from within Onenote.
Unfortunately, this capability does not exist yet. In order to be able to call the OneNote API, the user will have to sign in and give your app permissions. This is obviously not the ideal user experience, but currently there is no way around it.
The closest example I can think of is the meeting details button in the home tab in OneNote Web. It calls outlook APIs and therefore needs to be able to sign the user in.
On the positive side, once the user is signed in, you can store the refresh token in a cookie (remember to encrypt and mark it for expiration) and he/she will not have to sign in again in that browser.
I'm building my website to pull out my own linkedin profile info. And it is working but when a visitor comes to the site, they will have to login to see my profile info displayed on my page. This should be a public website and I don't want visitors to log in to their linkedin account in order to see my public page.
Is there anyway to do this (so that visitors can see my info without having to be logged in) ? Thank you
NOTE: I'm using their REST API by the way.
Simple code
Per the documentation (section #1, bullet point 3), it is not possible to share your profile information via the API without the user both authenticating your LinkedIn application that is pulling the info, and also the authenticated user then being connected to you in some way. From that document, "Each user must grant your application access to their LinkedIn network and they can only see data from their own LinkedIn network. For example, you cannot gather information about a LinkedIn member in one user's LinkedIn network and show that information to other users"
In short, the REST API is probably not the way to go to expose un-authenticate user's to your profile. What you might want to do is use one of the plugins, such as the Member Profile plugin.