Bypassing scopes consent screen for non-admin users

1
votes

Google apps marketplace #5 best practice says users shouldn't see the consent screen after an admin installs the app. I have been trying get this working on a Rails app using devise and omniauth-google-oauth2 for authentication. I have setup the app in test domain using an admin account. But non-admin users always see the consent screen. Any idea how to avoid it? https://github.com/zquestz/omniauth-google-oauth2 has some help; but setting any of the options specified there didn't help.

My config looks like below:

config.omniauth :google_oauth2, "code", "code", { access_type: "online", approval_prompt: "none", include_granted_scopes: "true", prompt: "select_account" }

Specifying scopes like "email,profile,calendar,https://www.google.com/m8/feeds/" gives the following error:

Error: invalid_scope

Some requested scopes were invalid. {valid=[https://www.googleapis.com/auth/calendar, https://www.google.com/m8/feeds/], invalid=[https://www.googleapis.com/auth/profile, https://www.googleapis.com/auth/email], noncanonical=[https://www.google.com/m8/feeds/(https://www.googleapis.com/auth/contacts)]}
2
ruby-on-railsdevisegoogle-apps-marketplace

2 Answers

1
votes

Adding

https://www.googleapis.com/auth/plus.me

to the list of scopes in "Google Apps Marketplace SDK" solved the issue. When the domain admin installs the app rest of the domain users will not see the consent screen.

Even my omniauth config is simplified now. It looks like below:

config.omniauth :google_oauth2, "XXX.apps.googleusercontent.com", "YYY", { access_type: "online", approval_prompt: "none", include_granted_scopes: "true" }
0
votes

Regarding invalid_scope error, I think you need to use following scopes for profile and email

https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile

fyi use https://developers.google.com/oauthplayground/ to find out valid scopes for other Google APIs