Requesting additional permissions

When requesting user permission to access user data or other resources, you can request all scopes up-front in the initial request or request scopes only as needed, using incremental authorization. Using incremental authorization, your app initially requests only the scopes required to start your app, then requests additional scopes as new permissions are required, in a context that identifies the reason for the request to the user.

For example, suppose your app lets users save music playlists to Google Drive; your app can request basic user information at sign-in, and later, when the user is ready to save their first playlist, ask only for Google Drive permissions.

Use this technique if you suspect users are not signing in because your consent screen is overwhelming, or are confused about why they are being asked for certain permissions. The following instructions are for the web, and are derived from the instructions for adding a client-side sign-in button: Building a Google 2.0 Sign-In button. You can read more about incremental authorization for the web in the OAuth 2.0 documentation.

Requesting additional scopes

At sign-in, your app requests "base" scopes, consisting of the sign-in scope profile plus any other initial scopes your app requires for operation. Later, when the user wants to perform an action that requires additional scopes, your app requests those additional scopes and the user authorizes only the new scopes from a consent screen.

Step 1: Request base scopes

Request the base scope profile when you initialize Google Sign-In. This step is included in Building a Google 2.0 Sign-In button.

auth2 = gapi.auth2.init({
    client_id: 'CLIENT_ID.apps.googleusercontent.com',
    cookiepolicy: 'single_host_origin', /** Default value **/
    scope: 'profile' });                /** Base scope **/

Step 2: Request additional scopes

Wherever additional scopes are needed, request them by constructing an options builder with the scopes you want to add and then calling user.grant({scope: [OPTIONS BUILDER]}).then(successFunction, failFunction);:

const options = new gapi.auth2.SigninOptionsBuilder();
options.setScope('email https://www.googleapis.com/auth/drive');

googleUser = auth2.currentUser.get();
googleUser.grant(options).then(
    function(success){
      console.log(JSON.stringify({message: "success", value: success}));
    },
    function(fail){
      alert(JSON.stringify({message: "fail", value: fail}));
    });