12

I have a "Sign in with Google+" button on my page. When people click on it, I want the only thing they authorize to be "View your email address."

I don't want "Know who you are on Google" or "View basic information about your account." I only want their email address.

I'm playing on the OAuth 2.0 Playground (https://developers.google.com/oauthplayground/) and see this:

Scope: email

Requests:

  1. Know who you are on Google
  2. View your email address

Scope: https://www.googleapis.com/auth/userinfo.email (and this one is deprecated)

Requests:

  1. Know who you are on Google
  2. View your email address
iffy
  • 719
  • 1
  • 4
  • 20

2 Answers2

8

Indeed, I've noticed that too. And I found an explanation from February 2013 here:

This is an intentional change to more precisely communicate to users the set of permissions that is being granted. Through knowledge of the user's email address it is possible, via indirect means, to locate the user's profile address. In the interest of more accurate disclosure, thus, we are prompting users to approve such disclosure.

Arjan
  • 22,808
  • 11
  • 61
  • 71
Owen Cao
  • 7,955
  • 2
  • 27
  • 35
  • That's not what I wanted to hear, but thank you for pointing this out. I wish this was explicit in the docs. – iffy Jun 26 '14 at 17:00
  • 1
    Stack Exchange might have been trying to convince Google otherwise: [*We have several guys at Google I/O this week that are going to try and pin the Google guys down and see if we can get some reasonable change here.*](http://meta.stackexchange.com/questions/234365/why-do-you-need-to-know-who-i-know-on-google/234369?noredirect=1#comment771284_234515) Of course, this is an old change, but since Google is deprecating OpenID, this is getting noticed. – Arjan Jun 29 '14 at 11:02
4

Not exactly what you want, but combining profile and email will at least give one a less scary description for the first:

This app would like to:

  • View basic information about your account
  • View your email address

...with the help for the first saying:

More info

View your name, public profile URL, and photo
View your gender
View your country, language, and timezone

To me, this feels better than the vague This app is requesting permission to associate you with your public Google profile which one gets as the More Info for Know who you are on Google+, when not explicitly using scope profile, or when using scope openid.

As an aside: LinkedIn's OAuth 2 also always needs a user to grant access to Your Profile Overview, even if an application only needs some unique identifier. Other than with Google's explanation in Owen's answer, I assume LinkedIn really wants developers to use their network features.

Community
  • 1
  • 1
Arjan
  • 22,808
  • 11
  • 61
  • 71