phpgoogle-oauthgoogle-authenticationgoogle-cloud-identity

Preselect account for Google OAuth2 consent screen to prevent redundant account selection

In my webapp I want to implement the following flow

  1. User clicks Log in with Google button
  2. User selects account in the redirected screen
  3. I recieve a JWT with the account ID and email address
  4. I set the account ID as login hint and set the prompt for 'consent' only
  5. I create the Auth URL and redirect to Google again for the consent
  6. In this next consent screen the user should only have to approve the consent and not select his account for the 2nd time
  7. I process the callback from the consent

According to the docs I implemented the callback from the "login with Google button" as following;

$payload = $client->verifyIdToken($id_token); //Process  the JWT
if ($payload) {
    $userid = $payload['sub']; //Get the user's unique Google ID
    $client->setLoginHint($userid); //Set the user ID as hint for next consent
    $client->setPrompt('consent'); //Set the approval prompt to consent only
    $client->setScopes(...);
    $client->setAccessType('offline');
    $client->setRedirectUri(...);

    //Create auth URL for consent
    $auth_url = $client->createAuthUrl();
    header('Location: ' . filter_var($auth_url, FILTER_SANITIZE_URL));

https://developers.google.com/identity/protocols/oauth2/web-server#creatingclient

Observed behavior:

  1. User clicks Login with Google button
  2. User clicks account & JWT is provided
  3. User is redirected to consent screen
  4. User has to select the account again <-- Unwanted behavior
  5. User agrees to the consent
  6. User is redirected to the callback

How do I implement this OAuth2 consent correctly so that I don't have to ask the user to select his account 2 times?

Solution

  • Apparently the docs are incorrect. Description for login_hint:

    If your application knows which user is trying to authenticate, it can use this parameter to provide a hint to the Google Authentication Server. The server uses the hint to simplify the login flow either by prefilling the email field in the sign-in form or by selecting the appropriate multi-login session.

    Set the parameter value to an email address or sub identifier, which is equivalent to the user's Google ID.

    According to this statement the User ID (get from JWT with $payload['sub']) can be passed as an argument, but this appears not to be working.

    When changing this to the actual email address (get from JWT with $payload['email']) it does work and the second account selection screen (step 4 in observed behavior) is skipped.