"Adding" scopes to an existing refresh token using OAuth 2.0

[Simon Berthiaume]

Hi, I'm in a situation where a client can link many google accounts to his account, but also "add" additional services to each of these accounts (scenario further down) and I'm unsure how we should manage that using OAuth 2.0.

For example, the client linked myFirs...@google.com to give access to Google Analytics data, we get a refresh token for that; later on, he decides to also link mySeco...@google.com for AdWords; finally, he also decides to give us access to his AdWords data for myFirs...@google.com.

First of all, is there a way to request authorization to a SPECIFIC google account if we have the email address (provided by the user) because right now, from what I understand, we can only get it once we got the Authorization Code back and made the request fot the Access/Refresh Token?

If we already have some access to a google account, is there a way to "add" additional access? Since the email address is only available AFTER the request for a specific service, and the refresh token seems to only apply for the requested access (not matter what was previously granted to the application), this seems rather impossible.

Right now, the only viable option seems to be to keep a different refresh tokens for each service the user wants to link, but if there was a way to combine them it would seem "cleaner".

Thanks for any help you could provide; feel free to ask questions if my explanation isn't clear.

[Yaniv Inbar (יניב ענבר)‎]

Great questions!

As far as I know, it is not possible to request an access token for a specific account.  It is however possible to request the name of the account associated with an access token.  More information about that can be found at:

https://developers.google.com/accounts/docs/OAuth2Login

It is not possible to essentially widen scope of a refresh token.  Storing a separate refresh token for each scope is possible but inadvisable.  What we recommend instead is to request multiple scopes for each refresh token.  The scope parameter can be a space-separated list of scopes.  The Java client library actually takes in a variable list of scopes, so it takes care of space-separating it for you.

Let me know if you need to see more specifics, or if you have any follow up questions.  If you have more general questions about OAuth 2 (like your question about requesting a token for a specific account), you can also try this Google Group:

https://groups.google.com/forum/#!forum/oauth2-dev

Yaniv Inbar
Senior Software Engineer
Google Inc.

[Simon Berthiaume]

Thanks for your reply, I did know about profile information/email request and I did use that. I also knew it was possible to request multiple scopes at the same time, which I also use (to have email + GoogleAnalytics).

What I'm trying to do is to allow our users to link multiple Google accounts to his account, give us only the necessary access to each of them and allow him to give us additional access in the future if his needs change. Is there a way to accomplish that?

My issue is that I cannot know, in advance, all the scopes/services the user will request so I cannot, for example, request AdWords + GoogleAnalytics up-front. Moreover, since our client's account can link to multiple Google accounts, it isn't possible to assume that hey would be reusing the same account they already linked and simply add the new scope to what we already have and make a new request. Finally since we cannot make a request for a specific account, even if we already have a refresh token, we cannot even ask the user to reuse one of his existing account.

Simon B.

On Friday, May 11, 2012 10:15:30 AM UTC-4, יניב ענבר Yaniv Inbar wrote:

Great questions!

As far as I know, it is not possible to request an access token for a specific account.  It is however possible to request the name of the account associated with an access token.  More information about that can be found at:

https://developers.google.com/accounts/docs/OAuth2Login

It is not possible to essentially widen scope of a refresh token.  Storing a separate refresh token for each scope is possible but inadvisable.  What we recommend instead is to request multiple scopes for each refresh token.  The scope parameter can be a space-separated list of scopes.  The Java client library actually takes in a variable list of scopes, so it takes care of space-separating it for you.

Let me know if you need to see more specifics, or if you have any follow up questions.  If you have more general questions about OAuth 2 (like your question about requesting a token for a specific account), you can also try this Google Group:

https://groups.google.com/forum/#!forum/oauth2-dev

Yaniv Inbar
Senior Software Engineer
Google Inc.

[Simon Berthiaume]

Were there any updates/changes on the way OAuth tokens can be manages?

In our model, a client may use the same account for multiple services, but we would like to request the scope only when necessary (trying to ling your account for AdWords and being told we request GoogleAnalytics as well could seem weird); with my understanding of the OAuth limitations, I see only 2 ways to handle that:

1. We keep a refresh token per scope requested (one for AdWords, one for GoogleAnalytics, one for DoubleClick DFA, ...)
2. We check for any existing scopes, add the one requested and check that the user really authenticated himself using the same account using the email address and give an error message otherwise.

Any other solutions for our specific needs?

Thanks for any info.

Simon B.

[Roy]

Are you doing Javascript or server based auth?

In javascript you have the ...

login_hint

email address orsub identifier

When your application knows which user it is trying to authenticate, it may provide this parameter as a hint to the Authentication Server. Passing this hint will either pre-fill the email box on the sign-in form or select the proper multi-login session, thereby simplifying the login flow.

... parameter.

On you option 1, may I suggest that you test this before spending too much time on it. I can see no guarantee in the documentation that Google supports multiple auths for a given user/app combination. You might find that each new scoped auth invalidates the previous one.

Another (equally ugly) approach might be to have multiple applications, each with a unique client-id and set of scopes. The user would choose which app to sign up to based on his precise functionality requirements. He would then be presented with the appropriate scope-array. afaik, the multiple apps can all carry the same name (check this) so the user wouldn't necessary see this. Even if duplicate app names are disallowed, a short suffix might suffice. You would then need to make sure you store the appropriate client-id against the user and use that client ID in all auth dialogues.

[Simon Berthiaume]

That "login_hint" seems new, will take a look at it thanks.

Simon B.