gapi.auth2.getAuthInstance().currentUser.get().grantOfflineAccess({ 'scope': offlinescopes.join(" ") }).then(function (auth) {
vm.authResult.code = auth.code;
}
The documentation states that it should skip the account chooser. I am calling the offline access on additional scopes for the current user and it still pops up account chooser. Please advise. I do not want user to login twice.
Hi @kishoregunturu, could you provide the configuration you pass to the gapi.auth2.init call?
You should indeed not see the account chooser, i.e. the screen where you can select which Google Account to use. However, it will show an authorization screen so that the user can authorize the scopes requested, even if the scopes were already authorized upon sign in. This is because a code allows to request Google API's even when the user is no more signed in to your app, and so the user has to consciously authorize this type of access.
Thank you for getting back. Here is my workflow and code
initiated the script tag in the head
onload="this.onload=function(){};handleClientLoad()"
onreadystatechange="if (this.readyState === 'complete') this.onload()">
//the gapi init
gapi.load('client:auth2', function () {
gapi.auth2.init({ client_id: window.appConfig.clientId, scope: 'profile email') }).then(function () {
});
});
//button click event
return gapi.auth2.getAuthInstance().signIn().then(function (resp) {
vm.updateSigninStatus(resp);
});
//after authentication user in our app server side
//call offline access. this is where the account chooser keeps popping up instead of consent form
gapi.auth2.getAuthInstance().currentUser.get().grantOfflineAccess({ 'scope': 'https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/admin.directory.orgunit.readonly https://www.googleapis.com/auth/admin.directory.domain.readonly'}).then(function(auth){
});
index.txt
Here is my html file with the set up
@kishoregunturu thanks for the further information. I indeed see the account chooser screen first, which is a bug. I will investigate and get back to you.
Thank you so much. Please keep me posted. I have deadline for prod release. Any help will be trully appreciated
@kishoregunturu we deployed a fix that will only display the correct account instead of all logged in Google accounts in the account chooser screen. Let me know if that works for you!
I want to confirm the fix. It will still show the account chooser second time but only the logged in accounts??
@kishoregunturu right. I'm currently investigating whether we can skip this screen altogether.
I also getting the same screen for already signed in user. Is there any fixed deployed for this issue?
@sawanttushar not at this time. We're still discussing the behavior.
Any New Year resolution to fix this flow? ;) It's quite annoying (and confusing) for our users.
We are working on implementing the behavior but I unfortunately can't provide an ETA.
I think I have the same problem.
In theory, everything is working. I have the user give API access on the first login.
Calling auth2.grantOfflineAccess().then(signInCallback) to send the access token to the server if there is no data for the user on login, prompts another account chooser and will also ask for permissions again.
Here is my code: https://hastebin.com/opuhaconud.xml
Is there any way to avoid this?
@TMSCH: Is there any update available? I have noticed it's started asking for permissions(consent screen) again and again which is not the case earlier.
This consent screen is required on each time an offline code is issued, since, with an offline code, your application has the ability to request data on behalf of the user when the user is not present and in front of your application. User must consent on each such code issued.
https://stackoverflow.com/questions/30637984/what-does-offline-access-in-oauth-mean
Hello,
Any news on this? The team seems to be investigating on it for a year now :)
Thanks
Hey Google Guys,
Any news on this? This is very annoying to see all the user accounts on the popup screen ... I'm able to validate the proper account being picked at the backend server but that's very user unfriendly experience.
Thanks,
D
This is affecting my customer's project as well and still appears to be unresolved as of today. Please advise. Thanks.
I understand there may be other problems besides this one that needs fixing, but signing a user in should be a simple and straight forward task at this point with technology. If there is anything I may be able to help with, I'd be happy to do so.
As it stands, I too am still experiencing this issue along with everyone else.
Hi, guys! Any update on this?
@TMSCH @grant Do we have any sample code for getting new access token?
Wondering if there is any update or workaround for this?
Thanks!
Hey guys !
I managed to make it work
here is my code
grantOfflineAccess() {
return new Promise((resolve, reject) => {
if (gapi.auth2.getAuthInstance().isSignedIn.get()) {
return gapi.auth2
.getAuthInstance()
.currentUser.get()
.grantOfflineAccess({
prompt: "none", // here is the relevant option
scope: "profile email"
})
.then(response => {
if (response && response.code) {
return resolve(response.code)
}
return reject(Error("no offline access code"))
})
}
return reject(Error("no user"))
})
}
be sure to have correctly signed in your user before triggering the offline flow
EDIT
The returned code doesn't allow the generation of a refresh_token. To get a refresh_token you need to prompt the account selector to the user.
This is a big issue as users can select another account resulting on the storage of two unrelated access_token and refresh_token on the backend.
@MathiasGilson this does not work.
Note that none is not available for the offline code flow.
source: https://developers.google.com/identity/sign-in/web/reference#gapiauth2offlineaccessoptions
My workaround to this problem:
grantOfflineAccess signs in the user in and can replace the signIn method.
When the authorization code is passed to the callback, the current user can be received to by calling the getAuthInstance.
gapi.auth2.getAuthInstance()
.grantOfflineAccess({
prompt: 'consent'
})
// @workaround timing issues with fetching the google profile
// which is reading deferred infos from the OAuth2 response
.then((code) =>
new Promise<{ code: string }>((res) => {
gapi.auth2.getAuthInstance().isSignedIn.listen(() => res(code));
})
)
.then(
({ code }) =>
[
gapi.auth2.getAuthInstance().currentUser.get(),
code
] as const
);
@albohlabs Do you check if the refresh token has been received previously for the user logging in - I think in your workaround a new refresh token will be issued on every login
@rajivsubra1981 This is indeed the case. But for my use case this was not an issue.
Most helpful comment
This is affecting my customer's project as well and still appears to be unresolved as of today. Please advise. Thanks.