Login/Register
Google OAuth consent screen mentions data that my app did not request
Asked Answered
Solved javagoogle-oauthopenid-connectgoogle-oauth-java-client
G

1

7

My webapp uses "Sign In with Google for Web" (https://accounts.google.com/gsi/client script). For various reasons, I now want to get rid of the JS library and implement the required steps using only Google OAuth Client Library for Java, version 1.34.1.

While the process itself works, I'm annoyed by the fact that despite my app only asking for openid email scopes, Google displays the following message at the bottom of the consent (account chooser) dialog:

To continue, Google will share your name, email address, language preference, and profile picture with APPNAME.

This message is highly misleading for my users because despite this message, the tokens do not include any scopes that would allow my app to read the full name, profile picture or other details - only openid https://www.googleapis.com/auth/userinfo.email (equivalent to openid email) just as I asked. I intentionally did not include profile in the scopes list because my app only needs the account ID (for matching the app account) and the email address.

Why does that happen? Am I doing something wrong? When I used the Google Identity client library, no such message appeared. From the documentation, there seems to be no way to influence that behavior.

Here is the URL I redirect to (with added newlines for readability). It was built using AuthorizationCodeFlow.

https://accounts.google.com/o/oauth2/auth
?access_type=offline
&client_id=MYID.apps.googleusercontent.com
&redirect_uri=MYURL
&response_type=code
&scope=openid%20email
&state=MYSTATE
&nonce=MYNONCE

Update 1

The same thing happens when using the Google OAuth 2.0 Playground and entering openid email. It redirects to this URL:

https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount
?redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground
&prompt=consent
&response_type=code
&client_id=407408718192.apps.googleusercontent.com
&scope=openid%20email
&access_type=offline
&service=lso
&o2v=2
&flowName=GeneralOAuthFlow

Screenshot of Google consent screen with the text "To continue, Google will share your name, email address, language preference, and profile picture with Google OAuth 2.0 Playground." at the bottom. The words "your name", "language preference, and and profile picture" are highlighted in yellow.

Update 2

For comparison, this is how the consent screen of a competitor looks like when asking for openid email:

Screenshot of Microsoft consent screen with the text "REDACTED will be able to sign you in, and assign a unique and anonymous ID to your account. REDACTED will be able to read your primary email address."

Gristmill answered 21/12, 2022 at 14:45 Comment(0)
M
4

The scopes

  • OpenID email
  • profile email
  • OpenID profile email

All result in the same default message from googles authorization server.

enter image description here

I can verify that OpenId email scopes do not appear to give you access to user profile data.

This is just that a default message. If its something that really bothers you i would be happy to send a message off to the team. They mentioned a few months back they were tuning the messages this may be one of the ones that was changed.

Update from google

This is a synopsis of what i got back from google

The text you are seeing is actually working as intended.

An application granted access to either of the three scopes (email, openid, profile) is able to perform a new OAuth request with any of the other scopes without triggering a new prompt (you can test it by getting a token with email scope, and then requesting a new one with openid scope, for instance). It is currently not possible to grant an application access to just email address without profile picture, or just name without email address, etc.

Marleah answered 30/12, 2022 at 18:41 Comment(13)
"scope openid is the same as asking for profile, email scope" - Well the OpenID connect specification explicitly says otherwise. Do you have any sources for this?Gristmill
Lets take a step back and address just your question rather then understanding of OpenId. I would be happy to contact the team for you if this is something you feel should be addressed. It is not something that you can change directly it is a default message from google side.Marleah
Hi Linda! Sorry for the downvote, I undid it now. Your answer is so confusing, it didn't look like an informed one. The RFC quote you added does not state anything about what each scope means. In section 5.4 it says "profile - OPTIONAL. This scope value requests access to the End-User's default profile Claims, which are: name, (...)" - the word optional contradicts your statement that profile is somehow always included in openid.Gristmill
Refresh the page I have edited my answer based upon my testing. The team has been tweaking things there appear to have been some changes.Marleah
Yes, I think it should be addressed. Please contact the team; either they had some reason to build it like this (that the two of us did not guess), or they didn't think about my use case (of not needing the profile scope) and would be willing to change it.Gristmill
I can send off an email but I drought they will change it. I know enough about their authorization server that i don't think this is something they are going to bother testing for. Previously OpenId connect automatically gave you profile scope, that does not seem to be the case anymore.Marleah
The edited answer is great, thank you! Also thanks for confirming that it indeed is nothing I could change on my end. Could you please try approaching the team anyway? I would be very grateful. As I wrote in the question, it's just totally confusing that the UI is so different when the end result is the same as with using the GSI client script (where the consent screen does not even have such a footer text).Gristmill
I have a fellow GDE verifying my findings then I will ping the team. Note i would sware openid used to default give you profile, but i can recreate it now.Marleah
What I remember is that "profile" used to be enabled by default if you requested any other scopes, but I can't find any of my old SO answers that said so. Most reference a now dead page that had a complicated set of rules about what scopes ended up giving you. My guess is that at one point, "profile" info was always given, so the warning message related to it was always included. At some point, they fixed the behavior to conform to standards - but forgot to change the text.Santamaria
I have sent off a couple of messages to Google i dont think we will hear anything from them until after the new year thoughMarleah
@JensBannmann I got a response back. check updateMarleah
@DaImTo Wow, their response is as disappointing as surprising. IMO Google should really follow Microsoft's lead here. As I'm trying to build my application based on the principle of Data Minimisation, it definitely won't ask for the additional scope or access/store the additional data, and that's what my privacy policy will say. But it's a shame that the consent screen message and Google's OAuth implementation "sabotages" this, so to say (and that this fact isn't documented anywhere). // Anyway, thanks a lot for getting this information! I had already upvoted and accepted your answer earlierGristmill
You have some very good points and I sent them back to Google. We may at the very least get this documented.Marleah

© 2022 - 2024 — McMap. All rights reserved.