Remove scopes from Firebase OAuthProvider('google.com')

Question

I am using a vanilla configuration of the firebase Auth SDK. It is currently asking for all of these scopes.

I do not need profile picture or name, and would love to remove them. Is it possible?

Answer 1

Simple answer is No name, and picture permissions are granted to your application when you request the profile scope as part of signin.

explanation

Assuming you are following the example found here. If you check the lines called addScopes.

provider.addScope('profile');
provider.addScope('email');

This is where you define what permissions your applicating needs. The email and profile scopes are part of Google sign in (Open Id Connect) The profile scope give you access to some basic profile information about the user. Part of basic profile information is their picture.

These two claims are actually returned by the user info endpoint. This is the response from the userinfo endpoint when I authorized only with the profile scope.

{
  "family_name": "Lawton", 
  "name": "Linda Lawton", 
  "picture": "https://lh3.googleusercontent.com/a-/AOh14GhroCYJp2P9xeYeYk1npchBPK-zbtTxzNQo0WAHI20=s96-c", 
  "locale": "en", 
  "given_name": "Linda", 
  "id": "1172004755376"
}

This is all default, so its not something you can change.

full example

// Using a redirect.
firebase.auth().getRedirectResult().then(function(result) {
  if (result.credential) {
    // This gives you the OAuth Access Token for that provider.
    var token = result.credential.accessToken;
  }
  var user = result.user;
});

// Start a sign in process for an unauthenticated user.
var provider = new firebase.auth.OAuthProvider('google.com');
provider.addScope('profile');
provider.addScope('email');
firebase.auth().signInWithRedirect(provider);