Google Groups

Re: Using online access given upcoming December update

Marius Scurtescu Dec 1, 2011 10:52 AM
Posted in group: Developer Forum for Google API Access using OAuth2
Hi Shawn,

See comments below...

On Tue, Nov 29, 2011 at 6:52 PM, Shawn Lewis <> wrote:
> Its preferable to only request offline access when strictly necessary. Users
> will be less likely to use applications that request offline access.
> I see how to use online access for something like login that requires a user
> to click a button. Just set approval_prompt=auto and leave everything else
> alone.
> But what if I have a page where I'd like to have a pane that:
>   - if the user has already approved us has a widget that displays google
> contacts (for example)
>   - otherwise has a button labeled "allow this app to access my google
> contacts".
> The first time the user clicks the button we get an access token and can
> populate the pane with the contacts data after making an api request. But
> what if the user navigates away and eventually the access token times out?
> When the user comes back to the page they should not have to click the
> "allow this app..." button again since they've already approved our app. So
> that means we need to acquire a new access token.
> One way to do this is to have the page serve a redirect to google oauth2
> with approval_prompt=auto if we know the user has approved us in the past.
> We get a fresh token every time the user views the page. But the problem
> comes if the user at some point disallows our application's access. In this
> scenario we should not automatically redirect them to google oauth2, that's
> awkward UX. They disallowed us, so we should show them the pane with the
> "allow this app..." button instead of a google page asking for permission
> again.

What you can do is indeed redirect in a hidden iframe with
approval_prompt=auto and immediate=true. This way no UI is shown to
the user, if auto-approval cannot be performed you will get an error
message: immediate_failed. Immediate can fail for two reasons: the
user is not logged in or the user revoked access for your app. In both
cases I think you have to show the button "allow this app...".

> This could be solved if there was an API call to determine the current
> scopes we've been approved for by a given user. We could check if they have
> disallowed us an not serve the redirect in that case. In other words we need
> an operation "Will this oauth2 request auto approve?" I haven't been able to
> find such an operation in the docs, but maybe it exists.
> I hope the above is clear. If not I can try again.
> Thanks for your help,
> Shawn