Insert a disclaimer about which account to choose when authenticating with Google Docs

[adomasven]

This is a somewhat common issue that we don't have a great way to address once it happens - users authenticating Zotero with the wrong account when signed in with multiple google accounts and asked to auth for Google Docs. I feel like it's a bit naughty tampering with the oauth screen, but at the same time the account picker screen would be the best place to insert a Zotero disclaimer that the user should choose the account associated with the doc, not the one they use to login with Zotero.

Any reasons why we shouldn't do it?

[dstillman]

I forget, do you potentially have to type your password in that window too? Because if so (and maybe even if not), I'd be a little uncomfortable modifying it. It's not quite the same as asking for a third-party login on another site — all in the name of providing you the service you're asking for, your password isn't being stored, etc. — but it's a bit similar. No real practical difference in this case, but I don't want people to think that we're anywhere near their login info.

What's the domain of the auth page, anyway? If it's accounts.google.com or something, I could easily see that getting our extension flagged/banned. So I think it'd only be an option if it were coming from docs.google.com.

The traditional option, outside the context of a browser extension that can modify any page, would be an initial popup that warned them what to do on the next pane. That's what you see in, say, apps that are about to trigger system permissions dialogs. If we can do that here, it might actually be more effective, even if it's a little annoying every time?

[adomasven]

The traditional option, outside the context of a browser extension that can modify any page, would be an initial popup that warned them what to do on the next pane.

I considered this, but I think this will have a limited desirable effect and will annoy most users. If you're only signed in to one account you only get the dialog the first time you use Google Docs with Zotero and then you don't even see it, it just pops open and disappears for our OAuth key retrieval. However we don't know that before we run the OAuth procedure, so we'd have to show it after every browser restart. I also think a lot of people would click through it without reading or read it but wouldn't understand what that meant.

The domain is accounts.google.com. You do need to enter your password, but it's on the next screen where we wouldn't put the disclaimer.

This might be too risky, so if we don't want to do this, I think it's best to drop it completely. Then again Google does say "to continue to Zotero Google Docs Integration". Although perhaps we can put a disclaimer there from the Google App console?

[dstillman]

Yeah, I'm not super comfortable modifying that. What did you have in mind?

[dstillman]

I forget — are we able to detect this when it happens? Do we show an error? Can we just show a better error?

[adomasven]

Yeah, I'm not super comfortable modifying that. What did you have in mind?

I thought we could add a Zotero disclaimer right below the Z icon in a grey background (of the color we use in the progress dialog) about which account to select. If we wanted something less "tampering with the page" and more "this is our own Zotero thing" we could display a Zotero modal popup (that greys the background) that the user would have to first dismiss, although that would still be quite annoying.

I forget — are we able to detect this when it happens? Do we show an error? Can we just show a better error?

GDocs returns a generic error about not having the permissions to access the doc, but I don't think we've ever seen that for something other than this, so we could probably just show a better message for it.

[dstillman]

Yeah, I think we should start with a better error message and see if the forum posts stop. People likely aren't going to read something until they get the error a couple times anyway, so I think a better message after the fact would be more effective, and we'd need it regardless.