Currently in a project that I'm working we use Google Workspace for an internal app. We want to access to the email of some users, but not all. We investigate about omit some scopes for some user but wasn't possible.
We are using the Google OAuth 2.0, setting up the gmail.readonly on the scope param, but we want the user(company workers) picks which permission they allow to grant access. The current consent window looks like this:
We want something like this:
We are using useGoogleLogin from @react-oauth/google for login, like this way:
const login = useGoogleLogin({
onSuccess: (codeResponse) => {
getApiAccessToken(codeResponse);
},
scope:
'https://www.googleapis.com/auth/gmail.readonly',
flow: 'auth-code',
enable_serial_consent: false,
onError: () => {
handleError();
},
});
Idk if we need to setup an additional thing there, but based on the docs of react-oauth/google looks like everything it's ok.
We also tried to add the include_granted_scopes: false param to useGoogleLogin but apparently is not related. All the flow works as expected, we gets the authorization in the backend and request the access token and so on, we only want to leave to the user decide if the want or not share the gmail data or not.
This is possible if you ask for the user ID or email (
openidoremailscopes) before asking for additional scopes. You can make decisions based on the email or ID the user shared with you.If you need to enable granular permissions, you can set your client to be external (instead of org internal). If you still need to make sure that only users within a certain workspace domain will grant access to your app, one possible way to do that may be with the hd param.