I have a "Sign in with Google+" button on my page. When people click on it, I want the only thing they authorize to be "View your email address."
I don't want "Know who you are on Google" or "View basic information about your account." I only want their email address.
I'm playing on the OAuth 2.0 Playground (https://developers.google.com/oauthplayground/) and see this:
Scope: email
Requests:
Scope: https://www.googleapis.com/auth/userinfo.email (and this one is deprecated)
Requests:
Indeed, I've noticed that too. And I found an explanation from February 2013 here:
This is an intentional change to more precisely communicate to users the set of permissions that is being granted. Through knowledge of the user's email address it is possible, via indirect means, to locate the user's profile address. In the interest of more accurate disclosure, thus, we are prompting users to approve such disclosure.