Using online access given upcoming December update

[Shawn Lewis]

Its preferable to only request offline access when strictly necessary. Users will be less likely to use applications that request offline access.

I see how to use online access for something like login that requires a user to click a button. Just set approval_prompt=auto and leave everything else alone.

But what if I have a page where I'd like to have a pane that:

  - if the user has already approved us has a widget that displays google contacts (for example)

  - otherwise has a button labeled "allow this app to access my google contacts".

The first time the user clicks the button we get an access token and can populate the pane with the contacts data after making an api request. But what if the user navigates away and eventually the access token times out? When the user comes back to the page they should not have to click the "allow this app..." button again since they've already approved our app. So that means we need to acquire a new access token.

One way to do this is to have the page serve a redirect to google oauth2 with approval_prompt=auto if we know the user has approved us in the past. We get a fresh token every time the user views the page. But the problem comes if the user at some point disallows our application's access. In this scenario we should not automatically redirect them to google oauth2, that's awkward UX. They disallowed us, so we should show them the pane with the "allow this app..." button instead of a google page asking for permission again.

This could be solved if there was an API call to determine the current scopes we've been approved for by a given user. We could check if they have disallowed us an not serve the redirect in that case. In other words we need an operation "Will this oauth2 request auto approve?" I haven't been able to find such an operation in the docs, but maybe it exists.

I hope the above is clear. If not I can try again.

Thanks for your help,

Shawn

[Marius Scurtescu]

Hi Shawn,

See comments below...

What you can do is indeed redirect in a hidden iframe with
approval_prompt=auto and immediate=true. This way no UI is shown to
the user, if auto-approval cannot be performed you will get an error
message: immediate_failed. Immediate can fail for two reasons: the
user is not logged in or the user revoked access for your app. In both
cases I think you have to show the button "allow this app...".

[Shawn Lewis]

Ah perfect. Thanks. What I was missing is "immediate=true" (its not currently in the Google oauth2 docs AFAICT).

[Shawn Lewis]

This is broken in a third case: immediate also fails if the user is logged in to two accounts. Which means there is currently no way to automatically refresh (without showing a UI) online tokens for users who use more than one Google account at a time.

There needs to be a way to pass the account we are trying to refresh a token for, either via some account id or maybe by passing the token back.

On Thu, Dec 1, 2011 at 10:52 AM, Marius Scurtescu <mscur...@google.com> wrote:

[Pisith]

Hi Shawn Lewis, I totally agree with you. I personally don't use applications that requires offline access :)

About refreshing online token, did you find a way to avoid showing a UI for users who use more than one Google Account?

Thanks,

Pisith