How to update the existing account scope incrementally

[abayoss]

Question 💬

TL;DR; Need to add additional OAuth scopes to an existing user account, without loosing the old scopes (openid, profile, email, others...)

Use-case: After a user have signed up to our website (using the google or email provider), they can optionally opt-in to grant access for Google Spreadsheets or Google Calendar Events, so an additional scope such as https://www.googleapis.com/auth/spreadsheets, should be granted by opening a new Consent screen with extended permissions / scopes, the new scope should be added to the existing account that was initiated in the first signed up without loosing the existing scopes.

We are using the google provider, after the sign up/ login the user can grant access to additional scopes, i've seen how to open a Consent screen with extended permissions / scopes, (using the additional parameters in the client signin method), the consent screen opens with the provided scope,
when the user accepts the required scope, we need to update the existing user account (scope field)

We also need a way to check if a given user has a certain scope from the rest api or the client

We can update/get the scope filed if we go directly to the database, but we are wondering if there is a better way to handle this use case using next auth

Related to: How to add additional OAuth Scopes / Permissions to existing account

How to reproduce ☕️

What we are using to open the consent prompt
signIn("google", {}, { scope: joinedScopes, prompt: "consent" });

Full project example

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

[balazsorban44]

Should be answered already in the discussion you linked. 🤔 #2068 (comment)

For updating the database, I believe the signin event should be the right place to do this https://next-auth.js.org/configuration/events#signin

[YannHulot]

@abayoss did you manage to do what you wanted? I am looking into doing the same thing but I am little bit stuck. Would you happen to have an example project that you could share?

[mbrookson]

I have the same issue and unfortunately it doesn't seem like next-auth actually handles this fully.

I have solved this in my app by implementing the signIn event. Once the user authenticates with the Google provider with the updated scopes enabled, the signIn event fires with the user and an updated account object as one of of the params, which includes that latest access token, refresh token and scope etc. I then use this to update the existing account in the database for the user.

Not ideal but think it works okay. Hope this helps.