OAuth/OpenID at Google


#1

I tried out the Google implementation of oauth/openid, here are my notes. I was not sure where to post this, here or at issues (I am not shure if there is an issue)

1 - Google takes consent for the “profile” and “email” scopes into the login step, in the “Choose an account”-window the message

“To continue, Google will share your name, email address and profile picture with APP_NAME”

is shown at the bottom of the window. I.e. the login process gives consent to these 2 scopes and no further consent window is shown in this case (pure OpenId Connect, no authorizations).

Scope “profile” is not the same as the “profile” claim in http://openid.net/specs/openid-connect-core-1_0.html#Claims. Google’s “profile” is the public data on google+, user, name(s) and picture.

A prompt=consent request in this case takes us only to the login window.

2 - The consent window is only shown if other (google api) scopes (different from profile and email) are required, for example

https://www.googleapis.com/auth/gmail.readonly (read access to gmail messages).

The requested scopes must all be accepted for the authorization to be accepted, there are no checkboxes in the consent window, either you accept all or you reject (Cancel) the request.

A prompt=consent request will first show the “login” and then the “consent” window in this case. There seems to be no easy way to remove permissions in this flow.

3 - Google supports what they call incremental authorization (https://developers.google.com/identity/protocols/OAuth2WebServer#incrementalAuth)

If new scopes are added to the client request, only the new scopes need to be accepted in the “consent” window. The new token will contain all scopes.

A prompt=consent will show all authorized scopes.

4 - Google’s authorizations can be reviewed and removed here: https://myaccount.google.com/permissions. No single scopes can be removed,
only all scopes and permissions for an application.

5 - Permissions are for an application and not for application/client (which makes a lot of sense to me). Once given permissions from a client, If I login from another client the permissions are there.

6 - Nice tool: https://developers.google.com/oauthplayground/ Use https://jwt.io/ for id_token

7 - They seem to have a little bug: When only the “profile” scope is requested, the message under the login window also says “To continue, Google will share your name, email address and profile picture with APP_NAME”. However, the id_token does not contain the email (which is correct).

It would be interesting to discuss if a similar flow could be implemented with the current hydra.


#2

Thank you for the investigation! I linked this in the issue :slight_smile:


#3