7

I've got an internal web app for my company that uses a login with google authentication system. It's working well for the most part, they can authenticate with google, give consent for my app to access basic user details, and then when they are returned to my app, I can indeed get their user details.

The issue is that I thought once they give consent they wouldn't have to do it each time. Is this an incorrect assumption? As it is now, each time they click the "login with google" they must give consent rather than being redirected back to my app.

I'm using PHP (codeigniter) and a pretty good Oauth lib found on github (fork of phil sturgeon's library). Is there some param I should be passing so the user doesn't have to give consent every time, after the first time?

Greg
  • 6,453
  • 9
  • 45
  • 61

1 Answers1

18

Google login does not require user consent every time. If you're using OAuth2 Login procedure, you should be able to login a second time w/o re-approvals: https://developers.google.com/accounts/docs/OAuth2Login

In some contexts, however, it is possible for auto-approval to become disabled, with the subsequent requirement of user consent on every login.

The first and most common case is if your application explicitly requests Google to prompt for consent everytime. Check if your authorization request (which you may have copied from an example or sample code) includes 'prompt=consent' or the older, non-standard form 'approval_prompt=force'. Removing these parameters (if present), will likely cause auto-approval to start working.

Another situation is if your redirect URL is based on 'localhost' or some other URL that does not belong to the global DNS namespace. In this case, for security reasons, Google sets a cookie on the user's computer, in the accounts.google.com domain, to signal that the user authorized _this_device_ to login to 'foo' on localhost (or local domain); Google will only auto-approve w/o consent a 2nd request if it finds the cookie. The reason is that the meaning of 'localhost' (or local domain, or other URL not built on global DNS namespace) is device-dependent, and allowing the authorization to apply across devices could introduce security risks. So if your company has configured browsers to clear all cookies on exit, and you use a non-absolute URL, you could see your users having to consent everytime. The solution is either to host your endpoint on an Internet-valid hostname (the host doesn't need to be accessible from outside the Intranet, just the hostname needs to be globally valid), or you need to exempt accounts.google.com from the cookie clearing policy.

breno
  • 3,226
  • 1
  • 22
  • 13
  • Thanks breno. Diving into the third party lib, it was explictly adding approval_prompt=force. I hadn't come across that in the docs I had read, but removing that did indeed fix the problem. Working like a charm, thanks! – Greg Feb 18 '13 at 22:13
  • Hi breno, I currently have a very similar problem that your current answer does not solve, could you take a look at it?https://stackoverflow.com/questions/52083196/google-authentification-always-ask-authorization-despite-prompt-has-no-value – Neok Sep 17 '18 at 19:51
  • Happened to me when I was using `access_type=offline` but not actually using the refresh-token for subsequent authorizations (I was simply calling `/o/oauth2/v2/auth` when the token is missing/expired). Seems like Google's OAuth behavior had changed recently, causing the full auth flow to retrigger if `access_type=offline` is passed - whereas in the past it just returned a new access token. Using the refresh token flow (`/oauth2/v4/token`) from second authorization onwards, fixed the issue for me. – Janaka Bandara Jul 17 '20 at 01:15