search

googleapis / google-api-java-client-services

Generated Java code for Google APIs
Apache License 2.0
605 stars 340 forks source link

Calendar: Additional Scope enforced to be requested when it is not needed #17922

Open bunnis opened 11 months ago

bunnis commented 11 months ago

Environment details

  1. Specify the API at the beginning of the title. Calendar API
  2. OS type and version: Android target SDK 33
  3. Java version: Android 13
  4. version(s): com.google.apis:google-api-services-calendar:v3-rev20230707-2.0.0

Steps to reproduce

  1. Sign-In to Google and request Scope CALENDAR_EVENTS_READONLY = https://www.googleapis.com/auth/calendar.events.readonly"
  2. Retrieve the Calendar Events List for a certain CalendarID
  3. Get warning [GoogleAuthUtil] isUserRecoverableError status: NEED_REMOTE_CONSENT, which triggers exception UserRecoverableAuthIOException
  4. Upon handling exception, Request_Permission is requesting Scope "https://www.googleapis.com/auth/calendar". This is not needed, as observed in https://developers.google.com/calendar/api/v3/reference/events/list, and selecting only the events.readonly scope

Code example (simplified)

        GoogleSignInOptions mGoogleSignInOptions = new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
                .requestEmail()
                .requestScopes(new Scope(CalendarScopes.CALENDAR_EVENTS_READONLY)) //https://developers.google.com/identity/protocols/oauth2/scopes#calendar
                .build();

        // Build a GoogleSignInClient with the options specified by gso.
        GoogleSignInClient mGoogleSignInClient = GoogleSignIn.getClient(MainActivity.this, mGoogleSignInOptions);
        Intent signInIntent = mGoogleSignInClient.getSignInIntent();
        startActivityForResult(signInIntent, SIGN_IN_REQUEST_CODE); 

            do {
                page++;
                Events events;
                Log.i(appLogTAG, "Sending events request, page "+page);

                events = calendarService.events().list(calendarID).execute();

                List<Event> items = events.getItems();

                for (Event event : items) {
                    //some work
                }

                pageToken = events.getNextPageToken();
                syncToken = events.getNextSyncToken();
            } while (pageToken != null);

        }catch (UserRecoverableAuthIOException e) {
            toastInUI("Error while retrieving data. ");

            //request missing permissions
            Intent intent = e.getIntent();
            intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
            appContext.startActivity(intent);

        } catch (GoogleJsonResponseException e) {
            if (e.getStatusCode() == 410) {
                // A 410 status code, "Gone", indicates that the sync token is invalid.
                Log.e(appLogTAG,"Invalid sync token, clearing event store and re-syncing.");
            } else {
                throw new RuntimeException(e);
            }
        }catch (SocketTimeoutException e) {
            Log.e(appLogTAG, "Timeout while retrieving data.");
            toastInUI("Timeout while retrieving data.");
        }catch (IOException e) {
            Log.e(appLogTAG, "Unknown error.");
            throw new RuntimeException(e);
        }

Stack trace

W  [GoogleAuthUtil] isUserRecoverableError status: NEED_REMOTE_CONSENT

External references such as API reference guides

Any additional information below

I have tried debugging to understand where the enforced permission request comes from without success. From the link in External References the requested Scope is enough to list all events in the Calendar.

Thanks!

blakeli0 commented 11 months ago

@TimurSadykov Is this something you can help with?

suztomo commented 10 months ago

@bunnis Would you attach the stacktrace? It tells file name and line number that causes the exception.

"W" at the beginning is warning.

bunnis commented 10 months ago

@suztomo I don't have any indication of the line number that causes the exception, this is what I see in Logcat:

2023-09-01 20:20:06.884 18935-20392 ABSKULAITY.BDAYCN       pt....aity.bdaynotificationsgooglec  I  Starting to Retrieve Calendar Bday Events
2023-09-01 20:20:06.885 18935-20392 ABSKULAITY.BDAYCN       pt....aity.bdaynotificationsgooglec  D  Setting up Google Credentials
2023-09-01 20:20:06.886 18935-20392 ABSKULAITY.BDAYCN       pt....aity.bdaynotificationsgooglec  D  Creating Calendar Service
2023-09-01 20:20:06.891 18935-20392 ABSKULAITY.BDAYCN       pt....aity.bdaynotificationsgooglec  I  Starting the events fetching logic 
2023-09-01 20:20:06.891 18935-20392 ABSKULAITY.BDAYCN       pt....aity.bdaynotificationsgooglec  I  Sending events request, page 1
**2023-09-01 20:20:07.071 18935-20392 Auth                    pt....aity.bdaynotificationsgooglec  W  [GoogleAuthUtil] isUserRecoverableError status: NEED_REMOTE_CONSENT**
suztomo commented 10 months ago

exception UserRecoverableAuthIOException

Can I see the stacktrace of this exception?

bunnis commented 10 months ago 
com.google.api.client.googleapis.extensions.android.gms.auth.UserRecoverableAuthIOException
at com.google.api.client.googleapis.extensions.android.gms.auth.GoogleAccountCredential$RequestHandler.intercept(GoogleAccountCredential.java:288)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:880)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:552)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:493)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:603)
at mypackage.DataRepo.retrieveCalendarBdayEvents(DataRepo.java:277)
at mypackage.DataRepo.loadData(DataRepo.java:410)
at mypackage.DataRepo.run(DataRepo.java:193)
at java.lang.Thread.run(Thread.java:1012)
                                                                                                    Caused by: com.google.android.gms.auth.UserRecoverableAuthException: NeedRemoteConsent
at com.google.android.gms.auth.zzl.zzg(com.google.android.gms:play-services-auth-base@@18.0.4:20)
at com.google.android.gms.auth.zzl.zzb(com.google.android.gms:play-services-auth-base@@18.0.4:4)
at com.google.android.gms.auth.zzf.zza(Unknown Source:6)
at com.google.android.gms.auth.zzl.zzh(com.google.android.gms:play-services-auth-base@@18.0.4:6)
at com.google.android.gms.auth.zzl.zza(com.google.android.gms:play-services-auth-base@@18.0.4:15)
at com.google.android.gms.auth.zzl.getToken(com.google.android.gms:play-services-auth-base@@18.0.4:3)
at com.google.android.gms.auth.zzl.getToken(com.google.android.gms:play-services-auth-base@@18.0.4:1)
at com.google.android.gms.auth.zzl.getToken(com.google.android.gms:play-services-auth-base@@18.0.4:6)
at com.google.android.gms.auth.GoogleAuthUtil.getToken(com.google.android.gms:play-services-auth-base@@18.0.4:3)
at com.google.api.client.googleapis.extensions.android.gms.auth.GoogleAccountCredential.getToken(GoogleAccountCredential.java:258)
at com.google.api.client.googleapis.extensions.android.gms.auth.GoogleAccountCredential$RequestHandler.intercept(GoogleAccountCredential.java:283)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:880)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:552)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:493)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:603)
at mypackage.DataRepo.retrieveCalendarBdayEvents(DataRepo.java:277)
at mypackage.DataRepo.loadData(DataRepo.java:410)
at mypackage.DataRepo.run(DataRepo.java:193)
at java.lang.Thread.run(Thread.java:1012)
suztomo commented 10 months ago

Thank you.

TimurSadykov commented 10 months ago

@blakeli0 No, sorry, it looks like this code does not use GUAC auth libs.

bunnis commented 9 months ago

any progress?

TimurSadykov commented 8 months ago

@bunnis The main problem seems to be the "NEED_REMOTE_CONSENT" error. This seems to be service specific and related to app verification status or error handeling, do you have your app verified, have you tried to handle like in the example?

bunnis commented 8 months ago

@TimurSadykov I handle the error correctly and everything works. The main problem is that using the API vs Web, the permissions are different. Via Web I only need read-only permission the access the data. Using the API, if I request the read-only permission then the Error Handling will force me to request read and write permissions. Obviously this is a different behaviour than the Web. Please refer to my initial description in 4: # Upon handling exception, Request_Permission is requesting Scope "https://www.googleapis.com/auth/calendar". This is not needed, as observed in https://developers.google.com/calendar/api/v3/reference/events/list, and selecting only the events.readonly scope

bunnis commented 5 months ago

gentle nudge @TimurSadykov

bunnis commented 3 weeks ago

Hello, can someone update the status of this?