Request additional scopes with signIn
#23
Comments
|
I'm facing the exact same problem. Previously my login flow (login + grant scopes) was contained in a single web view step. Now we need to show one web view for the sign in and another for granting permissions which feels less convenient. And thanks a lot for SPM and Apple Silicon support! It's awesome 😃 |
|
You are correct, with the 6.0.0 release we're requesting only the basic profile scopes (email, profile, openid) in the user's initial sign-in flow. If you require an additional scope, this will need to happen via |
|
Thanks @petea for the explanation. |
|
Reopening for discussion. |
petea
changed the title
signIn
|
Hi @petea. Very often we need to get all the scopes in time of sign in(or just after), and in this case it's very inconvenient to user to see Other approach is just add possibility to hide 2nd popup with sign in question for cases when adding scopes going just after sign in. |
|
Hi @petea. In our App, we have a use case that suffers from this decision. Our users are able to link their calendars (multiple options available) and he only needs sign-in to when we need his calendar consent. This now leads us to having to move the user through two sign-ins (from the eyes of the user) which is bad UX. |
|
Hello @petea 👋 I have the same flow as @mamilov. |
|
This is not a good call. I understand your desire to sign in and then prompt for scope at a later time as more functionality is required. However in our app, this just creates a very poor user experience. That's because we have Google Drive integration and that's all we need. So basically the user signs in and then immediately has to click a prompt again to open a dialog that appears to close immediately to provide the additional scope. Why? What was wrong with the previous method? This appears to be a poor decision on Google's behalf to force developers to use their product in a way that does not make sense. We require the ability to sign in with an initial scope. Period. |
|
Hi @petea 👋 |
|
I get this same issue, I think the repeated web view will confuse the user. Because user don't know or don't care it is an addScope of whatever. But they do see two web view for grant permission appearing in a row, which is really weird! I agree that we could add scope when sign in like before. |
|
@cpboyd note that basic profile scopes (email, profile, openid) are granted with the |
|
@petea Thanks for clarifying! I'm not currently using any other scopes, but my app depends on the Flutter plugin. Would it be possible to build the extra scope flow into the existing WebView pop-up? i.e. somehow give users the ability to opt-out of specific scopes? It seems like that might be nice even if not requesting at log-in, since a user might want to grant permission to Drive but not Contacts. |
|
FWIW since this library is now open source you can pretty trivially expose the interfaces from The implementation is already there (and is actually the same one used by the public let viewController = UIViewController()
let configuration = GIDConfiguration(clientID: "clientID", serverClientID: "serverID")
let options = GIDSignInInternalOptions.defaultOptions(
with: configuration,
presenting: viewController,
loginHint: nil
) { user, error in
}
options.scopes = ["A", "B", "C"]
GIDSignIn.sharedInstance.signIn(with: options)For the changes needed, see this commit |
I see the recent version 6.0.2 has different code structure than your commit! |
|
I agree too, that in my app this makes for a UX that looks odd. What are users to understand from this "second sign in" requirement? Here's the way it looks in my app: Example.for.work.movAs remarked, it's not that hard to change the repo in your own fork to work around this. That will put additional overhead on devs using this repo though, when one wants to integrates changes from the main repo though. |
|
Hello @petea
The discussion is now opened for 3 months, what's the result? Thanks |
|
I need way to workaround, it's a very dumb decision to have two step authentication like this. |
|
You can use the fork/PR here to workaround. I have a fork too with similar workaround.. Also, IMO, judging decisions as |
|
To me the most confusing thing about this process is that, underneath the hood, google implements oauth. So:
This is definitely a head scratcher for me. I understand that applications can eff with users by requesting all kinds of extra permissions along with the basic permissions needed to sign in. But this doesn't change anything -- bad actors can trivially work around it -- and I'm curious how this was sold as a feature. |
|
Christopher, I tried your fork but still in the sample I need to grant
additional scopes.
…On Tue, Oct 5, 2021 at 4:28 PM Christopher Prince ***@***.***> wrote:
You can use the fork/PR here to workaround. I have a fork too with
similar workaround. <https://github.com/crspybits/GoogleSignIn-iOS>.
Also, IMO, judging decisions as dumb is not Being considerate, kind,
constructive, and helpful. (see
https://github.com/google/.github/blob/76351dccba796e06868acdaeadfae58f11622e7a/CODE_OF_CONDUCT.md
).
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#23 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABF3UPXWZUWC2SFLY343RLUFLVPFANCNFSM5ALD7H7A>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
Our users may be signing in to Google as a secondary account immediately before we use of one of the requested scopes - the flow is following incremental authorization. Requiring a double sign-in creates a very bad user experience. Removing functionality, especially changes done with tacit assumption that developers don't know any better, should be done conservatively and with much feedback. Please reverse this decision. |
|
@dsharma To help you I'd need more details. I haven't used the sample. Why do you still need to grant additional scopes? |
|
Ok it's working. Thank you for the help.
…On Thu, Oct 7, 2021 at 7:02 AM Christopher Prince ***@***.***> wrote:
@dsharma <https://github.com/dsharma> To help you I'd need more details.
I haven't used the sample. Why do you still need to grant additional scopes?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#23 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABF3UONQLRS6V5KIT72BE3UFUEUTANCNFSM5ALD7H7A>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
Not all users of our app authenticate with Google at sign-in, but later add Google Photos as a source for creating photo books. After upgrading to |
I believe the need for this changes was to provide incremental authorisation ie
So if my app needs sign in with scope, and for us we know that the right point to ask for scope is at google sign in, then showing this unusual flow to my customers, just to provide 'a best user-experience' does not make sense. Developers should be allowed to choose what's best point to get scopes. And if we feel the best point is at sign-in then we should be allowed to have sign in + scopes in one go. |
|
Even Flutter, Google's own cross-platform app development platform is still avoiding v6 due to this specific issue: Clearly having developers avoid upgrading the SDK (potentially adding security vulnerabilities to countless apps) isn't the intention of this change. Shouldn't the proper course of action have been to give advance notice of the change with proper deprecation and a cut-off deadline? |
|
I'm the maintainer of https://github.com/klippa-app/nativescript-login and I'm holding off the upgrade due to this issue. However, it doesn't make a lot of sense to remove the scope parameter in the initial flow, as a lot of apps need extra scopes for their app to work at all, and the login flow is perfectly able to show the information about these scopes. On this principle my plugin is built and the only way now is to show 2 logins modals, which degrades the plugin UI, so I'm holding it off for now. |
|
Can this PR be merged? #67 |
|
We're also hitting this problem, would appreciate the PR getting merged and a new release! |
|
Is there a chance this change can be merged any time soon? This is the only reason we are still using the old library version :-/ |
|
Jeez... here we are in 2022. 😓 |
|
Hey everyone. I got sick of Google's eternally beta software. It seems that this stupid two step process also caused my users to not actually being signed in correctly and caused non-authenticated daily usage limits. So I wrote this addition for Objective-C that adds the single sign-in method with scopes. Enjoy. |
|
@jkichline Would you kindly fork this project so we can use SPM? 🙏🏻 thanks |
|
Thanks to everyone for sharing your concerns and specific examples. The incremental authorization pattern continues to be the recommended way to handle authorization after authentication when requesting additional scopes for specific features of your integration. However, we understand that for certain use cases this incremental authorization approach has led to a degraded user experience with the flow requesting authorization of an additional scope being seen immediately after the user has just completed the authentication flow. In our 6.2 release we will return the ability to request additional scopes as part of the sign-in moment for apps that require this for their core functionality. This release will be made available in the coming weeks. |
|
Is there any update on this issue? Is it available? |
|
@rldaulton the 6.2.0 release, which will address this issue, should be ready within a week. |
|
Google Sign-In 6.2 has been released. |
and others
Hello,
Since the 6.0.0 it looks like isn't anymore possible to SignIn with scopes. The only way I'v found is :
signInWithConfiguration:presentingViewController:callback:addScopes:presentingViewController:callback:In my case, I need to connect my user to their Youtube account. It results in two" sign in" in a row, which can be weird for some users.
Is there a way to make one sign in with scope or this is a volunteer behavior?
Btw, thanks for the SPM and M1 compatibility!
Thanks
Florian
The text was updated successfully, but these errors were encountered: