5

Lets say I have an application and my application has been running for years requesting access of users. The application in question was requesting way more access then was needed or the application has been changed and no longer needs some of the scopes which it is requesting.

The offending scopes have been removed so new users are no longer prompted for access that we don't need.

However we now have a number of older users whose refresh tokens grant us access which we don't need. I would like to fix this by removing the no longer needed scopes from there authorization. The easiest solution would probably be to just revoke their tokens and require that they re-authorize, however i think this would be unacceptable to the customers.

Examples of scopes :

https://www.googleapis.com/auth/analytics View and manage your Google Analytics data

The application is asking for full access. The application doesn't need full access

https://www.googleapis.com/auth/analytics.readonly View your Google Analytics data

Is it possible to remove scopes from authorization? I know it's possible to request additional permissions but i haven't been able to find a way of removing excessive permissions.

pinoyyid
  • 21,499
  • 14
  • 64
  • 115
Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449

2 Answers2

2

You can explicitly set the scopes your script project uses by editing its manifest file. The manifest field oauthScopes is an array of all scopes used by the project. To set your project's scopes, do the following:

  1. Open the script project in the Apps Script editor.
  2. In the menu, select File > Project properties.
  3. Select the Scopes tab.
  4. Review the scopes your script currently requires and determine what changes need to be made. Click Cancel when finished.
  5. If the manifest file appsscript.json isn't visible in the left nav bar, select the View > Show manifest file menu item.
  6. Select the appsscript.json file in the left nav to open it.
  7. Locate the top-level field labeled oauthScopes. If it is not present, you can add it.
  8. The oauthScopes field specifies an array of strings. To set the scopes your project uses, replace the contents of this array with the scopes you want it to use. For example:

enter image description here

  1. Save the manifest file using Ctrl+S or the Save file icon in the menu bar.

More info here: https://developers.google.com/apps-script/concepts/scopes

DannyFeliz
  • 783
  • 9
  • 16
1

No it isn't possible.

Scopes aren't nested. So although logically analytics.readonly is a subset of analytics, that's not how they are viewed internally. Thus there is no downgrade from analytics to analytics.readonly, as they are completely separate scopes. Therefore, since you must go through the additional-scopes process to acquire analytics.readonly, you might as well revoke the existing token, that being the only way to remove the existing analytics grant.

pinoyyid
  • 21,499
  • 14
  • 64
  • 115
  • 1
    Not taking about down grade both were requested originally I want to remove one. – Linda Lawton - DaImTo Apr 21 '17 at 14:38
  • You originally request both analytics **and** analytics.readonly? Odd, but hey ho. Either way, it isn't possible to revoke bits of a token, so you're stuck with revoking the token and requesting a new one. Since you aren't requesting any new scopes, if you set "prompt=none", you might get away with the user not being asked re re-authorize. – pinoyyid Apr 21 '17 at 14:47