On Tue, Nov 29, 2011 at 6:52 PM, Shawn Lewis <shl...@gmail.com> wrote: > Its preferable to only request offline access when strictly necessary. Users > will be less likely to use applications that request offline access. > I see how to use online access for something like login that requires a user > to click a button. Just set approval_prompt=auto and leave everything else > alone. > But what if I have a page where I'd like to have a pane that: > - if the user has already approved us has a widget that displays google > contacts (for example) > - otherwise has a button labeled "allow this app to access my google > contacts". > The first time the user clicks the button we get an access token and can > populate the pane with the contacts data after making an api request. But > what if the user navigates away and eventually the access token times out? > When the user comes back to the page they should not have to click the > "allow this app..." button again since they've already approved our app. So > that means we need to acquire a new access token. > One way to do this is to have the page serve a redirect to google oauth2 > with approval_prompt=auto if we know the user has approved us in the past. > We get a fresh token every time the user views the page. But the problem > comes if the user at some point disallows our application's access. In this > scenario we should not automatically redirect them to google oauth2, that's > awkward UX. They disallowed us, so we should show them the pane with the > "allow this app..." button instead of a google page asking for permission > again.
What you can do is indeed redirect in a hidden iframe with approval_prompt=auto and immediate=true. This way no UI is shown to the user, if auto-approval cannot be performed you will get an error message: immediate_failed. Immediate can fail for two reasons: the user is not logged in or the user revoked access for your app. In both cases I think you have to show the button "allow this app...".
> This could be solved if there was an API call to determine the current > scopes we've been approved for by a given user. We could check if they have > disallowed us an not serve the redirect in that case. In other words we need > an operation "Will this oauth2 request auto approve?" I haven't been able to > find such an operation in the docs, but maybe it exists. > I hope the above is clear. If not I can try again. > Thanks for your help, > Shawn