More granular Google Account permissions with Google OAuth and APIs
Posted by Adam Dawes, Senior Product Manager
Google offers a wide variety of APIs that third-party app developers can use to build features
for Google users. Granting access to this data is an important decision. Going forward,
consumers will get more fine-grained control over what account data they choose to share with
each app
Over the next few months, we'll start rolling out an improvement to our API infrastructure. We
will show each permission that an app requests one at a time, within its own dialog, instead
of presenting all permissions in a single dialog*. Users will have the ability to grant or
deny permissions individually.
To prepare for this change, there are a number of actions you should take with your app:
- Review the
Google API
Services: User Data Policy
and make sure you are following them.
- Before making an API call, check to see if the user has already granted permission
to your app. This will help you avoid insufficient permission errors which could lead to
unexpected app errors and a bad user experience.
Learn more
about this by referring to documentation on your platform below:
- Documentation for
Android
- Documentation for the
web
- Documentation for
iOS
Request permissions only when you need them. You'll be able to stage when each
permission is requested, and we recommend being thoughtful about doing this in context. You
should avoid asking for multiple scopes at sign-in, when users may be using your app for the
first time and are unfamiliar with the app's features. Bundling together a request for several
scopes makes it hard for users to understand why your app needs the permission and may alarm
and deter them from further use of your app.
Provide justification before asking for access. Clearly explain why you need access,
what you'll do with a user's data, and how they will benefit from providing access. Our
research indicates that these explanations increase user trust and engagement.
An example of contextual permission gathering
These changes will begin to roll out to new clients starting this month and will get extended
to existing clients at the beginning of 2019. Google continues to invest heavily in our
developer tools and platforms. Together with the
changes
we made last year
, we expect this improvement will help increase transparency and
trust in our app ecosystem.
We look forward to working with you through this change. If you have feedback, please comment
below. Or, if you have any technical questions, please post them on stackoverflow under the
google-oauth tag
.
*our different login scopes (
profile
,
email
,
and
openid
are all combined in the same consent and don't need to be
requested separately.