Problem statement
On new user signup using the Google Social connection, if a user skips the checkbox for granting consent for a requested scope (e.g. [“https://www.googleapis.com/auth/calendar.readonly"”, “offline_access”]), the user profile is still created and the user can login.
Is there a way to prevent the user from being created until they consent to all the requested scopes?
Solution
On sign up via Google the user may not check the required permissions box and continue with login. The requested scope is exactly that i.e. requested not mandatory. This is something governed by Google and according to their documentation Calendar API Scopes the user is asked to validate the scope. They have every right to reject at that point and continue with sign up and the user account will be created.
One workaround for this would be to check if the scope has been granted by using the /get-users-by-id endpoint and inspecting the access token from the returned identities array. The token can be inspected via GET https://oauth2.googleapis.com/tokeninfo?access_token=<access_token>;; to confirm scopes granted. If the required scope is missing then show a message to the user to say that the Google calendar scope is required and then log them out of the application (use federated logout to also sign out at the Google end).
On next login, they will have to access the scope as default or cancel the login transaction as the dialogue below will be presented if the same scopes are request again:
