I'm working on a React application and leveraging Google Identity Services for user authentication. My goal is to authenticate users without requesting or accessing their email addresses. According to the Google Cloud Console, I've configured the OAuth consent screen to utilize only the openid scope.
However, the JWT (ID Token) I receive after user authentication still includes the user's email address, contrary to my expectations. Here's how I've integrated Google Identity Services in my application (App.js):
import React, { useEffect } from "react";
const App = () => {
useEffect(() => {
const handleCredentialResponse = (response) => {
console.log("Encoded JWT ID token: " + response.credential);
// Further processing here
};
const initializeGoogleSignIn = () => {
if (window.google) {
window.google.accounts.id.initialize({
client_id: "MY_CLIENT_ID.apps.googleusercontent.com",
callback: handleCredentialResponse,
});
window.google.accounts.id.prompt();
}
};
if (document.readyState === "complete") {
initializeGoogleSignIn();
} else {
window.onload = initializeGoogleSignIn;
}
}, []);
return (
<div className="App"></div>
);
};
export default App;
Additionally, my public/index.html correctly loads the Google Identity Services library:
<script src="https://accounts.google.com/gsi/client" async defer></script>
I was under the impression that specifying only the openid scope would mean the ID token does not include the user's email. Is there any specific configuration I'm missing, or is there a misunderstanding about how the openid scope influences the contents of the returned ID token?
Any insights or advice would be greatly appreciated!