Are you using approval_prompt=force?

The recent launch of incremental auth has highlighted a couple of problems in the way some sites have implemented Google+ Sign-In or Google OAuth 2.0. The most obvious of these is that there are a fair number of places that use approval_prompt=force much more often than they should, which leads to a much worse user experience than there needs to be.

What’s the problem

Several sites set approval_prompt to force either in the Javascript Google+ Sign-In button (where it is generally approvalprompt), or in a parameter in the auth URL as part of a redirect based flow. This parameter means that users have to see the consent screen even if they had previously granted access to the application for the requested scopes.

While this was never a great user experience, the recent release of incremental auth has made it even more visible. Because the user has granted access before, they are not shown most scopes. However, because force is specified, they have to be shown a consent dialog. The only reason to show a consent dialog when the user has consented previously is to get a code that can be exchanged for a new refresh token - used primarily for offline access. Therefore the consent dialog displays that the app is requesting to "Have offline access" only.

This looks pretty weird! If you want to try it yourself, there is a small demo below.

There are two main reasons (that I'm aware of) why people do this:

  1. Its a copy and paste from an example
  2. To stop immediate mode auth from firing and signing the user in when the button displays

The second is a concern for people implementing the Javascript sign in flows, and usually is seen with a site sign-out feature. For example, you might try to log people out by deleting the application cookie, but then see them immediately signed-in again due to the immediate mode check when rendering the sign-in button. The best way to resolve this issue is to use gapi.auth.signOut when you log the user out. This sets local state that prevents the immediate mode check from signing the user in, and allows you to display the button appropriately.

In the first case where it is just came that way, simply remove the parameter and users will be able to sign in without seeing another consent dialog.

When should I use force

Forcing the approval prompt should only be used when you need to acquire a new refresh token. For example, if a user signed-in but their refresh token stored server side is no longer valid (perhaps it was accidentally deleted), you may want to pop up a dialog to say “we lost access to your [Google Service Here], please sign-in to re-enable”. At that point you can pass force in order to force a consent dialog to appear, and to get a code that returns a refresh token when exchanged.

Any questions about this, feel free to leave in the comments!

Popular posts from this blog

Client-Server Authentication with ID tokens

Common problems with Google+ Sign-In on Android

TLS and ZeroMQ