My webapp uses "Sign In with Google for Web" (https://accounts.google.com/gsi/client script). For various reasons, I now want to get rid of the JS library and implement the required steps using only Google OAuth Client Library for Java, version 1.34.1.

While the process itself works, I'm annoyed by the fact that despite my app only asking for openid email scopes, Google displays the following message at the bottom of the consent (account chooser) dialog:

To continue, Google will share your name, email address, language preference, and profile picture with APPNAME.

This message is highly misleading for my users because despite this message, the tokens do not include any scopes that would allow my app to read the full name, profile picture or other details - only openid https://www.googleapis.com/auth/userinfo.email (equivalent to openid email) just as I asked. I intentionally did not include profile in the scopes list because my app only needs the account ID (for matching the app account) and the email address.

Why does that happen? Am I doing something wrong? When I used the Google Identity client library, no such message appeared. From the documentation, there seems to be no way to influence that behavior.

Here is the URL I redirect to (with added newlines for readability). It was built using AuthorizationCodeFlow.

https://accounts.google.com/o/oauth2/auth
?access_type=offline
&client_id=MYID.apps.googleusercontent.com
&redirect_uri=MYURL
&response_type=code
&scope=openid%20email
&state=MYSTATE
&nonce=MYNONCE

Update 1

The same thing happens when using the Google OAuth 2.0 Playground and entering openid email. It redirects to this URL:

https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount
?redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground
&prompt=consent
&response_type=code
&client_id=407408718192.apps.googleusercontent.com
&scope=openid%20email
&access_type=offline
&service=lso
&o2v=2
&flowName=GeneralOAuthFlow

Update 2

For comparison, this is how the consent screen of a competitor looks like when asking for openid email:

The scopes

• OpenID email
• profile email
• OpenID profile email

All result in the same default message from googles authorization server.

I can verify that OpenId email scopes do not appear to give you access to user profile data.

This is just that a default message. If its something that really bothers you i would be happy to send a message off to the team. They mentioned a few months back they were tuning the messages this may be one of the ones that was changed.

Update from google

This is a synopsis of what i got back from google

The text you are seeing is actually working as intended.

An application granted access to either of the three scopes (email, openid, profile) is able to perform a new OAuth request with any of the other scopes without triggering a new prompt (you can test it by getting a token with email scope, and then requesting a new one with openid scope, for instance). It is currently not possible to grant an application access to just email address without profile picture, or just name without email address, etc.