Contact Importing

Google’s Granular Controls

You might have received an email from Google about "granular controls". CloudSponge is on it. Read on to learn about the details.

Google has been sending out emails about this change coming to their OAuth UX.
Google’s cryptic warning…

Starting June 17, 2024, Google users will get more granular controls for sharing their Google account data with third-party apps. Test your app and make any necessary updates for the best user experience.

Before unpacking what this email means, know that CloudSponge customers are covered. This change already happened for new Google OAuth projects, so we’ve taken it in stride and your Google connection will continue to function normally.

Now let’s get into what the email means.

Did Google’s Announcement Confuse You?

You may have received an email from Google discussing new granular controls and found the explanation a bit puzzling. Don’t worry—I’m here to help simplify what this means. As developers, we’ve adapted to numerous updates from Google, including the shift to granular controls, which have been standard for new OAuth projects for a couple years. Initially, these changes seemed complex, especially when we were focused on incremental OAuth, a method where you request the minimum permissions necessary for the current task.

Why Incremental OAuth Matters

Incremental OAuth is significant because it respects user privacy by not overreaching on permissions. For instance, if your app offers features like “Sign in with Google” and “invite your friends,” it’s best to request permissions separately. Ask for login permissions first, then request contact access only when the user decides to invite friends. This method ensures that you’re not asking for more access than needed, which aligns with the principle of least privilege.

Understanding Granular Controls

Granular controls take the idea of minimal permission a step further by placing the ultimate decision about data sharing in the user’s hands. While your app might still request only necessary permissions, granular controls allow users to modify these requests. For example, even if your app requests access to all contact categories to enhance functionality, a user might choose to restrict access to just their primary contacts. This new level of control respects user preferences and requires apps to be more adaptable in their design.

Navigating the New Landscape

The introduction of granular controls means that the OAuth process isn’t just a binary approve or deny system anymore. Now, the outcomes vary:

  • None of the requested scopes were granted.
  • Some of the scopes were granted.
  • All of the scopes were granted.

As developers, we must adapt to these nuances. Testing how your app handles partial permissions is crucial to ensuring functionality doesn’t break under different user choices.

Key Takeaways

If you set up a Google OAuth project before the implementation of granular controls, expect to receive an email about these changes. The transition may seem daunting, but remember, never assume anything—always test your integrations thoroughly. By preparing for partial permissions, you ensure that your app remains functional and respects user choices, aligning with modern privacy standards.

By focusing on these elements—incremental OAuth and the implications of granular controls—you can better prepare for the changes and ensure a smooth transition for your app and its users.

Graeme Rouse, CTO at CloudSponge

Follow @thunderouse


Try CloudSponge for free in your
testing environment

Get Started

Have a questions or prefer a guided tour?
Schedule a consultation with our Founder.