We need to remove an unnecessary scope from our Google Oauth2 client app.
Meanwhile, we have users who authorized our app with the previous scopes and we were granted their access and refresh tokens.
If we make the change and remove the scope, will existing tokens be invalid when we try to use them?
To be specific,
We are requesting google.calendar and google.calendar.readonly scopes. But we don’t need google.calendar scope and willing to remove it. After the removal, what will happen to existing access and refresh tokens which were granted at the time that we were requesting both scopes?
Does this answer your question? Google Oauth removing scopes from access
@MicTest No, it does not
That question asks if they can remove requested scopes from existing tokens for further authorization, in our case we don’t care if existing tokens will include unnecessary scope, I just want to know is the existing tokens still valid and won’t be responded unauthorised when we access resources.
In Google Cloud OAuth access tokens are validated at the time of usage. The scopes that you list in the Client are used to validate the client and to determine what type of validation (security audit) is required for your application. Since the maximum time a token can be valid is one hour, that is your maximum impact window. However, changing client scopes can switch a production client into one with a big warning box. I recommend creating a new client, waiting for verification, and then redeploying your app with the new Client ID.
Thanks @JohnHanley, yes we have already passed that verification stuff, bit painful but done. What about existing refresh tokens before we removed the scope? It will generate new access tokens with new scopes or at least they are still usable right?