Google OAuth2重新授权缺少许可页面上的权限 [英] Google OAuth2 re-authorization is missing permissions on the consent page
问题描述
当我强制用户第二次使用 approval_prompt = force
重新授权我的应用程序时,我如何让Google向用户显示完整的权限列表我的应用程序正在请求?
详细信息:
我有一个Web应用程序需要一组Google API权限,包括 access_type = offline
。我第一次批准它时,它显示正确的同意页面,列出所有权限,如下所示:
稍后,我会将用户带回Google授权,参数。第二次,它只显示有离线访问:
为什么不显示用户所有的权限?有没有办法迫使它第二次询问用户所有的权限?为什么现在第一次显示已离线访问?
我们的用户觉得令人困惑的是,我们的应用没有要求任何实际的权限,所以我宁愿只需再次显示第一批准屏幕即可。
请求的完整参数如下。网址:
https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force& CLIENT_ID = 1039955146864.apps.googleusercontent.com&安培; REDIRECT_URI = HTTP://本地主机:8081 /同步/谷歌/回调&安培; RESPONSE_TYPE =代码&安培;范围=的OpenID%20email%20https://www.googleapis.com/auth/admin。 directory.group.readonly%20https://www.googleapis.com/auth/admin.directory.group.member.readonly%20https://www.googleapis.com/auth/admin.directory.user.readonly&状态= 480704597031619284232891277399900450622
参数分解:
access_type:offline
approval_prompt:force
client_id:1039955146864.apps.googleusercontent.com
redirect_uri:http:// localhost:8081 / sync / google / callback
response_type:代码
范围:openid电子邮件https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory。 group.member.readonly https://www.googleapis.com/auth/admin .directory.user.readonly
state:480704597031619284232891277399900450622
我们推出了增量授权,这是按设计工作的。
http://googleplusplatform.blogspot.com/2013/12/google-sign-in-improvements11.html
这个想法是,如果用户已经授予应用程序的权限,则不需要显示相同的权限并要求用户批准。
<如果你正确地编写你的应用程序,那么这种情况不应该出现。如果您请求离线代码(刷新令牌)并将其存储在您的后端,那么除非您需要获取新的作用域/权限,否则您不应该再次询问它。您应该使用将来存储的刷新令牌。如果用户在您的网站上时只需要访问令牌,则可以使用其他流来请求访问令牌,而无需用户查看批准页面。
When I force a user to re-authorize my application a second time, using approval_prompt=force
, how can I get Google to show the user the entire list of permissions my app is requesting?
Details:
I have a web application that requests a set of Google API permissions, including access_type=offline
. The first time I approve it, it shows the correct consent page, listing all the permissions, which looks like:
Later, I send the user back to authorize with Google, with the same parameters. The second time, it only shows "Have offline access":
Why does it not show the users all the permissions? Is there a way to force it to ask the user for all the permissions a second time? Why does it now show "Have offline access" the first time?
Our users find it confusing that our app is not asking for any actual permissions, so I'd rather just show the first approval screen again.
The full parameters for the request I am making are as follows. URL:
https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=1039955146864.apps.googleusercontent.com&redirect_uri=http://localhost:8081/sync/google/callback&response_type=code&scope=openid%20email%20https://www.googleapis.com/auth/admin.directory.group.readonly%20https://www.googleapis.com/auth/admin.directory.group.member.readonly%20https://www.googleapis.com/auth/admin.directory.user.readonly&state=480704597031619284232891277399900450622
Parameters broken out:
access_type:offline
approval_prompt:force
client_id:1039955146864.apps.googleusercontent.com
redirect_uri:http://localhost:8081/sync/google/callback
response_type:code
scope:openid email https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory.group.member.readonly https://www.googleapis.com/auth/admin.directory.user.readonly
state:480704597031619284232891277399900450622
We launched incremental auth and this is the working as designed.
http://googleplusplatform.blogspot.com/2013/12/google-sign-in-improvements11.html
The idea is if a user has already granted the permissions to an app, there is no need to show the same permissions and ask the user to approve.
If you write your application properly then this situation should not arise. If you request an offline code (refresh token) and store it on your backend, you shouldn't be asking for it again unless if you need to get some new scopes/permissions. You should use the refresh token that you have stored in the future. If you only need the access token when the user is on your site, you can use other flows to request an access token without user seeing an approval page.
这篇关于Google OAuth2重新授权缺少许可页面上的权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!