How to Persist Additional Gmail Permissions Across Logins with NextAuth.js?

[winter-frostbyte-dev]

Hi all,

I’m using NextAuth.js with the Google provider in my application. By default, I only request the profile and email scopes, which works well for normal login. Here's my provider configuration:

const authOptions: AuthOptions = {
  providers: [
    GoogleProvider({
      clientId: process.env.GOOGLE_CLIENT_ID || '',
      clientSecret: process.env.GOOGLE_CLIENT_SECRET || '',
      authorization: {
        params: {
          scope: 'profile email'
        }
      }
    })
  ]
};

I have a section in my application that requires access to the user's Gmail (to read and display their emails). I don’t want to force users to grant Gmail permissions during the initial login. Instead, I want to add a button in that specific section so that users can grant Gmail access only when they need it.

For the current session, the following code works to request Gmail permissions dynamically:

function requestGmailPermissions() {
  signIn('google', undefined, { scope: 'profile email https://www.googleapis.com/auth/gmail.readonly', login_hint: session?.user?.email || '' });
}

However, the issue is that once the user logs out and logs back in, the Gmail permission is "lost," and they have to press the button again. I assume this happens because my Google provider setup doesn’t request the Gmail permission by default, so it doesn’t persist across sessions.

My question: Is there a way to persist the Gmail permission across logins so that the user doesn’t have to press the button and re-grant the permission every time they log in?

Thanks in advance for any help!

Related to:
How to update the existing account scope incrementally
How to add additional OAuth Scopes / Permissions to existing account

These issues are similar to mine, but neither provides a solution for ensuring that the Gmail permission persists across logins. Although the Gmail permission is successfully granted and appears under "https://myaccount.google.com/connections" for my application (indicating that it’s set permanently), I lose access to it after the user logs out and logs back in. I believe this happens because the Gmail permission isn't included in my Google provider's scope definition by default. I’m looking for a way to persist this permission without the user needing to re-grant it after every login.

[thecrayon]

@winter-frostbyte-dev were you able to figure this out? I'm surprised this isn't in the Auth.js documentation to be honest. I was thinking of creating a separate Google Application (with a new client id and secret), and having the user connect to this separate application after they login to my main application... But that seems overly complex and I don't think you need to do this (Clerk offers a way to request additional user scopes without creating a new Google client id/secret: link)

[nic-vo]

The problem is that the OAuth spec dictates that access tokens (and probably refresh tokens) cannot gain scopes once they're issued. Therefore, the initial sign in from NextAuth and the subsequent sign in to the gmail.readonly endpoint probably grant two completely different access tokens. Which means that you have to request the expanded scopes at user's initial NextAuth sign in if you want to have it persist between logins

Potential solutions depend on how you're making calls to Google's APIs and also your NextAuth session strategy. Server or client-side fetching Google APIs? NextAuth JWT or database?

If it were up to me, for a low traffic app, I'd use NextAuth w/ database to persist refresh / access token with all required scopes, but keep a separate database record of if a user wants your app to read their Gmail, then make all calls to Google API on server after checking both auth and if user wants emails read from this database. Tokens technically allow your app to read their emails at any time; the option to allow read is in your hands, not Google tokens. Button that used to do the second signIn would instead just toggle reading on / off for user in your database.

You don't need a whole other Google Application with different client id and secret

Relevant info for long term sessions