oAuth 2.0 scope for user ID from Google account

Question

I would like to use oAuth to retrieve a user's ID and preferrably ONLY their ID and not their e-mail address, name or any other information.

In Android, I know how to use the Google Play APIs to obtain tokens and can bring up the dialog where the user grants permission to an app to have access to the requested data. I generally use the AccountManager to bring up the dialog that allows the user to select which email address to use for the account that will authorize the app. In this sense, I already have access to their email address, although I don't really need it. What I really want is the ID of the Google account associated with that email address. I also do not want to use Google+ as this requires accessing too much private information.

The scope I found closest was:

https://www.googleapis.com/auth/userinfo.email

However, since I already have access to their email address when they selected it from AccountManager, it doesn't seem to make sense asking the user for permission to their email address.

Is there a scope that I can call that retrieves just the user's account ID?

EDIT: Apparently I am not the only one pissed about this: http://www.club4850.com/?p=46970

This is why a company like WhatsApp became successful. They require no registration or access to any information about the user. Google's sign in displays the requested permission "Know who you are on Google" - Great way to lose a lot of users.

Answer 1

For anyone still looking:

There is this scope: https://www.googleapis.com/auth/userinfo.profile

The way I access it in NodeJs is like this (I know the question is for android but it's not going to be too different in Java I imagine):

const oauth2 = google.oauth2({
  auth: oauth2Client,
  version: 'v2'
});

const userInfo = await oauth2.userinfo.get();
const userId = userInfo.data.id

Answer 2

Doing more research, there is a solution. However, this does require allowing the user to divulge their email address. The solution is called Cross Client Identity:

https://developers.google.com/accounts/docs/CrossClientAuth Verifying Back-End Calls from Android Apps

Basically it works like this:

1. In your app, you pop up the AccountManager dialog that presents the user with the list of registered email addresses on their device. NOTE: These addresses have already been confirmed with Google when the user added the email to their device, so there is no way for someone to enter in just any e-mail address. They can only select from those that have been setup with the device and verified by Google.
2. You then call GoogleAuthUtil.getToken with the scope audience:server:client_id:xxx where xxx is the client ID that you hardcode into your app, which is retrieved from the Google API console for the app.
3. A token is returned in the format of JSON Web Token (JWT) which you then send to the server where you decode it using a JWT library (available on the web). At this point, you have the user ID and their email address. You should verify the token by sending it to Google to make sure they issued it and check that the client ID in the token matches to the one you have in your Google API console project.

I've tested this out and it works. No need to store passwords on the device and no need to request any weird permissions that the user would get turned off with. However, the user has to live with divulging their email address but most will generally have less problem with that. You can however tell your user in the app that you don't store their email address or other info if that helps to gain more trust.

Here is also an online tool that can decode JWT tokens that you can use during development to quickly see what data the token contains:

Decode JWT token