0

In my Django application I am using Python Social Auth to use Google OAuth for my site's login. As a part of login mechanism the authentication middleware appends User object to reach request. Because of this I can easily access user emails through request.user.email on my server (which I don't want because of my site's privacy policy).

So is there a way to use third party authentications systems without getting user emails on my server side.

I am fine with writing a code that assigns username/alias for the first time user, which shall be used in future references.

Harvey
  • 184
  • 1
  • 3
  • 15
  • I thought I did something similar, but can't find it in my code and its been awhile...try playing/searching how to use the SOCIAL_AUTH_XXX_SCOPE variables, or other variables for social auth (where XXX = auth system like FACEBOOK) – warath-coder Nov 27 '17 at 12:59

1 Answers1

1

You can configure Google OAuth scope to not request the client's email from Google.

Example settings:

SOCIAL_AUTH_GOOGLE_OAUTH2_IGNORE_DEFAULT_SCOPE = True

SOCIAL_AUTH_GOOGLE_OAUTH2_SCOPE = [
    # only put here things that you want google to return
    'https://www.googleapis.com/auth/userinfo.profile',
    # something else ...
]

All Google OAuth2 scopes are listed in this table: https://developers.google.com/identity/protocols/googlescopes#oauth2v2

xyres
  • 20,487
  • 3
  • 56
  • 85
  • @Harvey You can exclude that from the scope. – xyres Nov 27 '17 at 14:50
  • I tried doing that. I got the following error on browser "Missing required parameter: scope" – Harvey Nov 27 '17 at 14:52
  • @Harvey Google OAuth requires a `scope`. If you're not requesting the profile, you must request at least something. See https://stackoverflow.com/questions/23849987/google-oauth2-asking-for-no-information-empty-scope – xyres Nov 27 '17 at 15:00
  • So what would be the best way to have the highest standard of user privacy? – Harvey Nov 27 '17 at 15:15
  • @Harvey You don't even want a user's name? In that case, you should use this scope - `https://www.googleapis.com/auth/plus.login`. It will only get a user's language and their age-range (if the user is 18+ or 21+, etc). – xyres Nov 27 '17 at 15:37
  • Appreciate that but that includes list of people in the user's circles. Not exactly how I'd define privacy. – Harvey Nov 27 '17 at 15:54
  • @Harvey It doesn't return the user's circles. I just tried this with my accoun to verify. Also, you can read this - https://developers.google.com/+/web/people/#retrieve-a-collection-of-people. It says that it used to return circles in the past, but not anymore. – xyres Nov 27 '17 at 16:24