javagoogle-oauthopenid-connectgoogle-oauth-java-client

Google OAuth consent screen mentions data that my app did not request

My webapp uses "Sign In with Google for Web" (https://accounts.google.com/gsi/client script). For various reasons, I now want to get rid of the JS library and implement the required steps using only Google OAuth Client Library for Java, version 1.34.1.

While the process itself works, I'm annoyed by the fact that despite my app only asking for openid email scopes, Google displays the following message at the bottom of the consent (account chooser) dialog:

To continue, Google will share your name, email address, language preference, and profile picture with APPNAME.

This message is highly misleading for my users because despite this message, the tokens do not include any scopes that would allow my app to read the full name, profile picture or other details - only openid https://www.googleapis.com/auth/userinfo.email (equivalent to openid email) just as I asked. I intentionally did not include profile in the scopes list because my app only needs the account ID (for matching the app account) and the email address.

Why does that happen? Am I doing something wrong? When I used the Google Identity client library, no such message appeared. From the documentation, there seems to be no way to influence that behavior.

Here is the URL I redirect to (with added newlines for readability). It was built using AuthorizationCodeFlow.

https://accounts.google.com/o/oauth2/auth
?access_type=offline
&client_id=MYID.apps.googleusercontent.com
&redirect_uri=MYURL
&response_type=code
&scope=openid%20email
&state=MYSTATE
&nonce=MYNONCE

Update 1

The same thing happens when using the Google OAuth 2.0 Playground and entering openid email. It redirects to this URL:

https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount
?redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground
&prompt=consent
&response_type=code
&client_id=407408718192.apps.googleusercontent.com
&scope=openid%20email
&access_type=offline
&service=lso
&o2v=2
&flowName=GeneralOAuthFlow

Screenshot of Google consent screen with the text "To continue, Google will share your name, email address, language preference, and profile picture with Google OAuth 2.0 Playground." at the bottom. The words "your name", "language preference, and and profile picture" are highlighted in yellow.

Update 2

For comparison, this is how the consent screen of a competitor looks like when asking for openid email:

Screenshot of Microsoft consent screen with the text "REDACTED will be able to sign you in, and assign a unique and anonymous ID to your account. REDACTED will be able to read your primary email address."

Solution

  • The scopes

    All result in the same default message from googles authorization server.

    enter image description here

    I can verify that OpenId email scopes do not appear to give you access to user profile data.

    This is just that a default message. If its something that really bothers you i would be happy to send a message off to the team. They mentioned a few months back they were tuning the messages this may be one of the ones that was changed.

    Update from google

    This is a synopsis of what i got back from google

    The text you are seeing is actually working as intended.

    An application granted access to either of the three scopes (email, openid, profile) is able to perform a new OAuth request with any of the other scopes without triggering a new prompt (you can test it by getting a token with email scope, and then requesting a new one with openid scope, for instance). It is currently not possible to grant an application access to just email address without profile picture, or just name without email address, etc.