0

I have setup a Google OAuth client application and obtained client_ID and secret key. See the screenshot below.

Now, visitors to my website are sent to this URL when they click the "Login with Google" badge:

https://accounts.google.com/o/oauth2/auth?client_id=65271345115-ocrkffgo6irh2rji8knpnanfh8rf4s35.apps.googleusercontent.com&redirect_uri=https://www.webpagetest.org/testlog/1/&response_type=code&scope=profile+email

When the user clicks there, I expect that Google will pop up a permission-granting window like this one. However that doesn't happen! When the user clicks on that link, it doesn't ask them for permissions. It just sends them to the redirect_uri and tacks on the code at the end of it.

Why? Isn't this a security hole? Why is a code being issued without permissions being granted by the user??

enter image description here

Saqib Ali
  • 11,931
  • 41
  • 133
  • 272
  • Because you've probably already granted access. To reset, go here: https://myaccount.google.com/u/0/permissions?pli=1 – JM-AGMS Jul 05 '18 at 20:16
  • JM-AGMS, I asked some randos in my office try it. They had never encountered this app before. And they were not prompted to give permission. Can you click the link? Does it ask you to grant permission? – Saqib Ali Jul 05 '18 at 20:27
  • You need to properly encode your website URL. In JavaScript you can use `encodeURIComponent()`. – JM-AGMS Jul 05 '18 at 20:34
  • Can u show me the proper URL I should be using? If the website I'm providing is incorrect why does Google successfully redirect and produce an OAuth code? – Saqib Ali Jul 05 '18 at 20:46
  • Replace your website url in `redirect_uri` with: `https%3A%2F%2Fwww.webpagetest.org%2Ftestlog%2F1%2F` – JM-AGMS Jul 05 '18 at 21:47
  • That made no difference. Did you try clicking the link (with the change u specified) yourself?? If the website I'm providing is incorrect why does Google successfully redirect and produce an OAuth code? – Saqib Ali Jul 05 '18 at 22:02
  • 1
    Looks like they changed the behavior for profile/email scopes, no permissions prompt. It has changed on my integration as well. I added aliases scope and it does prompt me for those permissions. – JM-AGMS Jul 06 '18 at 18:36

0 Answers0