Google OAuth flow

yann · March 7, 2015, 3:44pm

Hello everyone,
I have a usecase that I think is pretty common. I want to implement Incremental authorization for google Aouth 2.0
because this is better for the user experience. I first want the user to login into my app with google but ask only his basic contact details. Then after he has logged in I want him to grant me access to his google analytics data. How should I go about doing this? I’ve been looking at the Accounts code and wondering how I can use it to do what I want.

Any directions would much appreciated

rahul · March 8, 2015, 9:01pm

You should be able to use eg. Meteor.loginWithGoogle and pass it {requestPermissions: [...]} once the user already has an account to upgrade the permissions. Haven’t tried this myself, but that would be the first place I’d look (before trying to build it myself).

yann · March 10, 2015, 2:06pm

Rahul I serious can’t thank you enough… I was agonizing about this but your solution did the trick!!!

serkandurusoy · March 11, 2015, 9:56pm

@rahul I though you cannot call Meteor.loginWithGoogle on an already logged in user. Can you? Otherwise, this would not work since you would not know when to elevate premission requirements.

So @yann how did that work out for you?

yann · March 13, 2015, 11:00am

It works like a charm! It will give another prompt with only the additional permissions

mikael · December 2, 2015, 6:55am

Heya! This works like a charm for incrementing authorization. But when the user sign out and then sign in again the scope are back to the original one.

Sign in/up (Meteor.loginWithGoogle with minimal scope)
Re-signin to increment authorization (Meteor.loginWithGoogle with additional scope)
Sign out
Sign in again (Meteor.loginWithGoogle with minimal scope)

At first I thought it might be that Meteor just updated the services.google.scope list to what ever was last passed to loginWithGoogle(). But I’ve double checked the access token manually ( https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=xyz ) and the minimal scope is indeed in effect.

Any ideas?

mikael · December 2, 2015, 8:24am

Still exploring, but it seems like it’s possible to store the access token with the elevated privileges separately and then manually add it back once the user has signed in again. Another option is to use the refresh token to retrieve a new access token.

mikael · December 2, 2015, 7:19pm

Found the solution, posting it here in case anyone else run into the same problem. Just provide add an extra parameter include_granted_scopes=true with the auth url.

In Meteor that means adding the following to the loginWithGoogle() options:

loginUrlParameters: {include_granted_scopes: true}

https://developers.google.com/identity/protocols/OAuth2WebServer#redirecting

yann · December 6, 2015, 9:31am

hey! sorry for late reply… was a busy week. Glad you found it!

nwabdou85 · December 11, 2016, 1:34pm

@yann @rahul @mikael: I still sucks with getting a google refresh token using a code; can I ve an example of code showing how to get it to work? please. knowing that I don’t use google to log in my app.

Thank’s for you help.