Calendar: Additional Scope enforced to be requested when it is not needed

[bunnis]

Environment details

1. Specify the API at the beginning of the title. Calendar API
2. OS type and version: Android target SDK 33
3. Java version: Android 13
4. version(s): com.google.apis:google-api-services-calendar:v3-rev20230707-2.0.0

Steps to reproduce

1. Sign-In to Google and request Scope CALENDAR_EVENTS_READONLY =
   https://www.googleapis.com/auth/calendar.events.readonly"
2. Retrieve the Calendar Events List for a certain CalendarID
3. Get warning [GoogleAuthUtil] isUserRecoverableError status: NEED_REMOTE_CONSENT, which triggers exception UserRecoverableAuthIOException
4. Upon handling exception, Request_Permission is requesting Scope "https://www.googleapis.com/auth/calendar". This is not needed, as observed in https://developers.google.com/calendar/api/v3/reference/events/list, and selecting only the events.readonly scope

Code example (simplified)

        GoogleSignInOptions mGoogleSignInOptions = new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
                .requestEmail()
                .requestScopes(new Scope(CalendarScopes.CALENDAR_EVENTS_READONLY)) //https://developers.google.com/identity/protocols/oauth2/scopes#calendar
                .build();

        // Build a GoogleSignInClient with the options specified by gso.
        GoogleSignInClient mGoogleSignInClient = GoogleSignIn.getClient(MainActivity.this, mGoogleSignInOptions);
        Intent signInIntent = mGoogleSignInClient.getSignInIntent();
        startActivityForResult(signInIntent, SIGN_IN_REQUEST_CODE); 


            do {
                page++;
                Events events;
                Log.i(appLogTAG, "Sending events request, page "+page);

                events = calendarService.events().list(calendarID).execute();


                List<Event> items = events.getItems();

                for (Event event : items) {
                    //some work
                }

                pageToken = events.getNextPageToken();
                syncToken = events.getNextSyncToken();
            } while (pageToken != null);


        }catch (UserRecoverableAuthIOException e) {
            toastInUI("Error while retrieving data. ");

            //request missing permissions
            Intent intent = e.getIntent();
            intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
            appContext.startActivity(intent);

        } catch (GoogleJsonResponseException e) {
            if (e.getStatusCode() == 410) {
                // A 410 status code, "Gone", indicates that the sync token is invalid.
                Log.e(appLogTAG,"Invalid sync token, clearing event store and re-syncing.");
            } else {
                throw new RuntimeException(e);
            }
        }catch (SocketTimeoutException e) {
            Log.e(appLogTAG, "Timeout while retrieving data.");
            toastInUI("Timeout while retrieving data.");
        }catch (IOException e) {
            Log.e(appLogTAG, "Unknown error.");
            throw new RuntimeException(e);
        }
       

Stack trace

W  [GoogleAuthUtil] isUserRecoverableError status: NEED_REMOTE_CONSENT

External references such as API reference guides

• https://developers.google.com/calendar/api/v3/reference/events/list

Any additional information below

I have tried debugging to understand where the enforced permission request comes from without success. From the link in External References the requested Scope is enough to list all events in the Calendar.

Thanks!

[blakeli0]

@TimurSadykov Is this something you can help with?

[suztomo]

@bunnis Would you attach the stacktrace? It tells file name and line number that causes the exception.

"W" at the beginning is warning.

[bunnis]

@suztomo I don't have any indication of the line number that causes the exception, this is what I see in Logcat:

2023-09-01 20:20:06.884 18935-20392 ABSKULAITY.BDAYCN       pt....aity.bdaynotificationsgooglec  I  Starting to Retrieve Calendar Bday Events
2023-09-01 20:20:06.885 18935-20392 ABSKULAITY.BDAYCN       pt....aity.bdaynotificationsgooglec  D  Setting up Google Credentials
2023-09-01 20:20:06.886 18935-20392 ABSKULAITY.BDAYCN       pt....aity.bdaynotificationsgooglec  D  Creating Calendar Service
2023-09-01 20:20:06.891 18935-20392 ABSKULAITY.BDAYCN       pt....aity.bdaynotificationsgooglec  I  Starting the events fetching logic 
2023-09-01 20:20:06.891 18935-20392 ABSKULAITY.BDAYCN       pt....aity.bdaynotificationsgooglec  I  Sending events request, page 1
**2023-09-01 20:20:07.071 18935-20392 Auth                    pt....aity.bdaynotificationsgooglec  W  [GoogleAuthUtil] isUserRecoverableError status: NEED_REMOTE_CONSENT**

[suztomo]

exception UserRecoverableAuthIOException

Can I see the stacktrace of this exception?

[bunnis]

com.google.api.client.googleapis.extensions.android.gms.auth.UserRecoverableAuthIOException
at com.google.api.client.googleapis.extensions.android.gms.auth.GoogleAccountCredential$RequestHandler.intercept(GoogleAccountCredential.java:288)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:880)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:552)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:493)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:603)
at mypackage.DataRepo.retrieveCalendarBdayEvents(DataRepo.java:277)
at mypackage.DataRepo.loadData(DataRepo.java:410)
at mypackage.DataRepo.run(DataRepo.java:193)
at java.lang.Thread.run(Thread.java:1012)
                                                                                                    Caused by: com.google.android.gms.auth.UserRecoverableAuthException: NeedRemoteConsent
at com.google.android.gms.auth.zzl.zzg(com.google.android.gms:play-services-auth-base@@18.0.4:20)
at com.google.android.gms.auth.zzl.zzb(com.google.android.gms:play-services-auth-base@@18.0.4:4)
at com.google.android.gms.auth.zzf.zza(Unknown Source:6)
at com.google.android.gms.auth.zzl.zzh(com.google.android.gms:play-services-auth-base@@18.0.4:6)
at com.google.android.gms.auth.zzl.zza(com.google.android.gms:play-services-auth-base@@18.0.4:15)
at com.google.android.gms.auth.zzl.getToken(com.google.android.gms:play-services-auth-base@@18.0.4:3)
at com.google.android.gms.auth.zzl.getToken(com.google.android.gms:play-services-auth-base@@18.0.4:1)
at com.google.android.gms.auth.zzl.getToken(com.google.android.gms:play-services-auth-base@@18.0.4:6)
at com.google.android.gms.auth.GoogleAuthUtil.getToken(com.google.android.gms:play-services-auth-base@@18.0.4:3)
at com.google.api.client.googleapis.extensions.android.gms.auth.GoogleAccountCredential.getToken(GoogleAccountCredential.java:258)
at com.google.api.client.googleapis.extensions.android.gms.auth.GoogleAccountCredential$RequestHandler.intercept(GoogleAccountCredential.java:283)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:880)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:552)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:493)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:603)
at mypackage.DataRepo.retrieveCalendarBdayEvents(DataRepo.java:277)
at mypackage.DataRepo.loadData(DataRepo.java:410)
at mypackage.DataRepo.run(DataRepo.java:193)
at java.lang.Thread.run(Thread.java:1012)

[suztomo]

Thank you.

[TimurSadykov]

@blakeli0 No, sorry, it looks like this code does not use GUAC auth libs.

[bunnis]

any progress?

[TimurSadykov]

@bunnis The main problem seems to be the "NEED_REMOTE_CONSENT" error. This seems to be service specific and related to app verification status or error handeling, do you have your app verified, have you tried to handle like in the example?

[bunnis]

@TimurSadykov I handle the error correctly and everything works. The main problem is that using the API vs Web, the permissions are different. Via Web I only need read-only permission the access the data. Using the API, if I request the read-only permission then the Error Handling will force me to request read and write permissions. Obviously this is a different behaviour than the Web. Please refer to my initial description in 4:

Upon handling exception, Request_Permission is requesting Scope "https://www.googleapis.com/auth/calendar". This is not needed, as observed in https://developers.google.com/calendar/api/v3/reference/events/list, and selecting only the events.readonly scope

[bunnis]

gentle nudge @TimurSadykov