How to implement google API Incremental authorization in PHP?

Question

I have implemented oauth2 with Google, using the googleapis/google-api-php-client API client in PHP and have got it working with the sign in scope "profile". I want to use incremental authorization, such that some time after the user has logged in I can add the YouTube scope "https://www.googleapis.com/auth/youtube.force-ssl" so I can gather info on YouTube creators comments. Every example I can find only goes as far as saying that you need to add the following single line of code:

$client->setIncludeGrantedScopes(true);

I've done that, but what do I do after I have authenticated the user for login, with that, and I now want to actually request the YouTube scope? Do I just run them through an additional oauth request? If so, how do I link the login with the youtube scope or is there a different procedure?

I can request both profile and the YouTube scopes, during the initial oauth login, without issue but I would rather the user login with the profile scope and then later add the YouTube scope. The main reason is that even though I am just using this to read comments, the scope itself pretty much gives the site the ability to do anything related to youtube and I don't want to scare off the user when they initially login and are prompted to approve such a high level scope.

If someone could point me to or show me a full example in PHP of this process I would be extremely grateful as I have been struggling with this for some time.

Thanks!

Nick

Answer 1

You are require to perform an OAuth request each time you request a new scope. So, more than one request is needed. You could use a single file to handle all the authentication requests. Something like this should work...

//set CSRF (Cross Site Request Forgery) token
if(!isset($_SESSION["state"])){
    $state = sha1(openssl_random_pseudo_bytes(1024)); 
    $_SESSION["state"] = $state;    
} else { $state = $_SESSION["state"]; }

//include Google PHP client library
require_once "../../ggl_lib/vendor/autoload.php"; 

//create client object to request authorization
$client = new Google_Client(); 
$client->setAuthConfig("path_to_key.json");
$scopes = array("profile", "email");

if ( isset($_GET["request"]) && ($_GET["request"] == "youtubeAccess") ) {   // configure authentication request to allow access to youtube info

    array_push($scopes, "https://www.googleapis.com/auth/youtube.force-ssl"); //this scope is for the youtube info
    $client->setIncludeGrantedScopes(true);
    $client->setRedirectUri("path_to_redirect_uri");                
    $client->setAccessType("offline");
    $client->setApprovalPrompt("force");    

}  else { // configure authentication to get user basic information

    $client->setApprovalPrompt("force");
    $client->setRedirectUri("path_to_redirect_uri");

}

$client->setScopes($scopes); // set scopes
$client->setState($state); // set CSRF Token

//Request authorization
if (!isset($_GET['code'])) {    
    $auth_url = $client->createAuthUrl();
    header('Location: ' . filter_var($auth_url, FILTER_SANITIZE_URL));
}

The above approach sends a url parameter request=youtubeAccess to indicate that it needs to acquire youtube scopes. If the parameter is not present, it simply performs the basic authorization. If you are saving the token to a database, everytime you perform the authorization, make sure to save the token to the database. This is how I deal with incremental authorization.

Answer 2

I was battling incremental scopes with PHP for an entire day. Primarily with refreshing expired access tokens. Every time the access token expired, and I used the refresh token to get a fresh access token - the new token didn't have the new scopes. My original signup did NOT have incremental scopes.

FIX: In your personal google account under "Third-party apps with account access" just remove the permission entirely and re-register to your app. When you re-register the "incremental scopes" will be set from the beginning.