What's the relationship between the scopes in the Google Cloud OAuth consent screen and the scopes requested when invoking the API?

1
votes

There's a section in Google Cloud Console > APIs & Services > Credentials > OAuth Consent Screen that lets you edit a list of scopes:

enter image description here

However it seems to have zero bearing on the actual permissions that are asked for in the user prompt, which seem to only be influenced by what I actually pass in from my code when going through the OAuth flow. The list does not seem to update itself to reflect the actual scopes you ask for from your code, and it also does not limit the scopes that you can request from your code.

Is the list of scopes configured in the OAuth Consent Screen used for anything?

2
oauthgoogle-apigoogle-cloud-platformgoogle-oauth
I believe this is a list of all possible scopes, and then what you pass in is what the user actually agrees to. It would allow you to limit the breadth of access to each user based on what they actually use. eg: Not accessing contacts unless they enable a 'sharing' feature.FridayPush
@FridayPush But you can edit this list of scopes, and it does not seem to update itself to reflect the actual scopes you ask for from your code, and it does not limit the scopes that you can request from your code.Yang

2 Answers

1
votes

In your screenshot on the right side "Scopes for Google APIs", this is a list of scopes that your application has asked for in the past. If your app requires validation, Google will use this list as part of its process to evaluate your app. For most of the items (scopes) in the list, you can click the delete icon to remove the scope from the list.

When you create your credentials (OAuth Tokens), you specify the scopes that you want at that time. The list in your screenshot is not used to specify scopes, just to keep track of the ones that you have used.

0
votes

As mentioned by @Hanley, this screen shows the list of scopes that your application has asked for in the past. If your application needs to be verified, Google will use the scope list. You can add or delete any scopes that you want. The key point is that the screen is used for verification of your application. Add or delete any scopes that you want. Once approved however, if you use a scope not approved then the approval process needs to be repeated.

When credentials are generated, this specify the scope that is needed at that time. The list updates itself based on the scopes used by the application. However, the update is not immediate.