Why does Google OAuth2 re-ask user for permission when i send them to auth url again
Yes as you've noted using the approval_prompt=force
URL parameter will force showing the auth dialog to the user every single time. By simply removing this URL parameter the user will not be prompted on subsequent auth flows.
There is a slight difference in the response that you will get if you use the server-side flow (response_type=code
) and offline access (access_type=offline
). The first time the user authorizes you (when he sees the approval screen) or if you force this by using approval_prompt=force
then when you exchange the auth code you will be granted a refresh_token
and an access_token
.
However every time the user is not shown with the approval screen (subsequent auth when not using approval_prompt=force), when exchanging the auth code you will only be granted an access_token, no refresh_token. So if that's the flow you are using and if you want to be able to access the user's data offline you need to make sure that you save the refresh_token locally for future use when you get it the first time.
That is only likely to happen if you request access to another type of data than simply the auth data though (using the OAuth 2 flow you can request access to other data, for instance, Contacts API data, Calendar API data, Drive data, etc...) as, usually, a regular Open ID flow would not need offline access.
Related videos on Youtube
timh
Updated on June 04, 2022Comments
-
timh almost 2 years
With the old google openid, when i sent a user (who had previously opted-in to my app) to the auth url, it would immediately redirect them back to my app.
Now, with OAuth2, the auth url keeps asking the user for permission. I read some of the docs on this, but what I dont get is how this flow i supposed to work:
- User logs into google via my app and clicks ALLOW for permissions
- Days later, cookies are cleared, user comes back to my site, clicks "Login to google"
- User is not asked for permission again and they are immediately logged in.
I think it has something to do with storing the auth token or refresh token in step 1, but in Step 3, I don't know who they are, so how can i match them with the proper auth or refresh token to gain a valid access token.
In my tests, when I send them to the original auth url in step 1, they are asked for permissions again.
EDIT: Found the solution
The google-api puts "approval_prompt=force" by default when creating the auth url.
-
Tony over 10 yearsi've set this to 'auto' as the google docs said. But sadly it always ask again for the permissions.
-
javadev about 9 yearsHi dyoser, I'm having the same problem. Did you have the chance to get this fixed?
-
zavr almost 8 yearsYou have to complete the process by exchanging the code for the token then the app will appear in the list here security.google.com/settings/security/permissions and users won't be asked for permissions again.
-
centurian over 6 yearsThe
access_type=offline
andapproval_prompt=force
is the ONLY combination that works as of today for getting the refresh token with the response along with the access token-tested with curl after some hours of trying! You'll get sth like this: Array ( [access_token] => ya29.Glv4... [expires_in] => 2017-11-03 22:25:33 [id_token] => eyJWY... [refresh_token] => 1/1fg... [token_type] => Bearer )