Unannounced changes to oauth2 scope/permissions?

663 views
Skip to first unread message

Jack

unread,
Feb 3, 2013, 11:46:11 PM2/3/13
to oauth...@googlegroups.com
I am using google oauth2 for my site typing.io, and I am requesting permission to view user email by setting the scope to https://www.googleapis.com/auth/userinfo.email when redirecting to google. However, recently the google signin page is requesting my users to also grant the permission 'Know who you are on Google'.  I have not changed any oauth code on my end, so I was wondering if this is a bug on google's end. I don't need these extra permissions, and I don't want to dissuade potential users. Thanks for you help.

Jack

Mike Rooney

unread,
Feb 17, 2013, 1:06:18 PM2/17/13
to oauth...@googlegroups.com
I'm finding myself in the same boat and would greatly appreciate any help. I don't need or want this information and don't want yet another bullet item to dissuade users from accepting permissions.

Thanks,
Mike

Breno de Medeiros

unread,
Feb 17, 2013, 6:10:36 PM2/17/13
to oauth...@googlegroups.com
This is an intentional change to more precisely communicate to users the set of permissions that is being granted. Through knowledge of the user's email address it is possible, via indirect means, to locate the user's profile address. In the interest of more accurate disclosure, thus, we are prompting users to approve such disclosure.

The new tokens issued include permissions to obtain public profile information, in accordance with the modified text. You can use https://developers.google.com/accounts/docs/OAuth2Login#userinfocall to obtain the subset of user's profile information that is publicly linked from the user's profile. The user's profile Id, which is always public in that endpoint, is also a more reliable identifier for the user (as email addresses can be changed on accounts). We recommend that you store the user's profile id to ensure that email changes don't cause account confusion.



--
You received this message because you are subscribed to the Google Groups "Developer Forum for Google API Access using OAuth2" group.
To unsubscribe from this group and stop receiving emails from it, send an email to oauth2-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 



--
--Breno
Reply all
Reply to author
Forward
0 new messages