google-signin icon indicating copy to clipboard operation
google-signin copied to clipboard
verified publisher icon GoogleWebComponents

Dynamically changing scopes leads to old scopes being still active

Open Compufreak345 opened this issue 9 years ago • 4 comments

I am trying to set the scopes by checkboxes, so my code looks like this :

<div class="vertical layout">
            <div>
                <paper-checkbox checked="{{syncContacts}}">Sync contacts</paper-checkbox>
            </div>
            <div>
                <paper-checkbox checked="{{syncCalendar}}">Sync calendar</paper-checkbox>
            </div>
            <google-signin scopes="[[_getScopes(syncContacts,syncCalendar)]]"></google-signin>
</div>

_getScopes: function(syncContacts,syncCalendar) {
                var s = "";
                if(syncContacts) s+="https://www.googleapis.com/auth/contacts.readonly ";
                if(syncCalendar) s+="https://www.googleapis.com/auth/calendar.readonly";
                return s;
            }

It works when I am checking the boxes initially, but it is always keeping the scopes that were checked once, because of line 678 in google-signin-aware.html adding new scopes but not removing old ones :

_scopesChanged: function(newVal, oldVal) {
        AuthEngine.requestScopes(newVal);
        this._updateScopeStatus();
      }

The comment on the requestScopes says /** request additional scopes */ so it actually does not remove older scopes. I am not into AuthEngine so I don't know if there is any method for resetting the scopes, but I think something like this is needed there.

Compufreak345 avatar Jan 14 '16 19:01 Compufreak345

There is no way to do it. This was a conscious design decision. Google's signin library gapi.auth2 only supports revoking all scopes, and no partials. So our architecture does not support dropping scopes:

  • <google-signin> keeps a global registry of requested scopes, and does not keep count of how many times scope has been registered.
  • when signinAware drops a scope, we can't remove it, because it could have been registered multiple times The only time when partial revoke would be useful is before pemissions were granted. As a workaround, you can delay creating the signin-aware elements until user clicks on the signin button.

atotic avatar Jan 14 '16 22:01 atotic

Thanks for the response, but if this is the case I have another problem that might be caused by this behavior : Even if I leave the scopes-property empty it requests the scopes openid, profile and email and I am not able to do something against it - what can I do to prevent this behavior?

Compufreak345 avatar Jan 15 '16 10:01 Compufreak345

Again, that is gapi.auth2 behavior.

atotic avatar Jan 15 '16 15:01 atotic

Thanks for the explanation - as this behavior is optional I made #120 - it would be great if this option could be added.

Compufreak345 avatar Jan 15 '16 15:01 Compufreak345