0

I’m using Passport.js with Google OAuth 2.0 in my Node.js app to authenticate users and request access to Google Calendar events. Despite adding the calendar.events scope in both my Passport strategy and Google Cloud Console, the consent screen does not prompt for calendar access, and the returned access token is missing the calendar.events scope.

What I’ve tried:

Added calendar.events in the Passport strategy:

`passport.use(
  new GoogleStrategy(
    {
      clientID: process.env.GOOGLE_CLIENT_ID,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
      callbackURL: process.env.BACKEND_HOST + "/auth/google/callback",
      scope: [
        "email",
        "https://www.googleapis.com/auth/calendar.events"
      ],
      accessType: "offline",
      prompt: "consent",
    },
    async (accessToken, refreshToken, profile, done) => {
      console.log("access token", accessToken);
      const response = await fetch(
        "https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=" +
          accessToken
      );
      const data = await response.json();
      console.log("Token Info:", data);
    }
  )
);`

  1. Verified that calendar.events is added in the Google Cloud Console under OAuth consent screen.

  2. Tested with https://www.googleapis.com/oauth2/v1/tokeninfo to inspect the access token — only the default userinfo.email, userinfo.profile, and openid scopes are present.

  3. Added prompt: "consent" and accessType: "offline" to force re-consent.

  4. Revoked access via Google Permissions and retried, but still no prompt for calendar access.

Expected behavior:

The Google consent screen should prompt for calendar access when logging in. The access token should include the calendar.events scope. Actual behavior:

No calendar permission prompt is shown, and the token is missing the calendar.events scope. What could be causing this?

Is there any additional configuration required to request calendar.events? Could it be related to how Passport.js handles the scope?

Improve this question
2
  • Two possibilities that you don't cover in your question: (1) Are these consumer e.g. Gmail accounts? Or Google Workspace accounts? (2) You may need to have your app verified for its use of Calendar's OAuth scopes (see Restricted Scopes) Commented Mar 12 at 17:37
  • * I’m using a personal Gmail account (consumer account), not a Google Workspace account. *I haven’t verified the app yet. However, from what I understand, https://www.googleapis.com/auth/calendar.events is classified as a "sensitive" scope, not a "restricted" one. As per the [Google OAuth verification documentation], unverified apps should still be able to request sensitive scopes , but I don’t even get the calendar prompt at all. Would the lack of app verification prevent the scope from being included in the token? Or is there something else I might be missing? Commented Mar 13 at 2:10
Related questions
1368
How do I get the path to the current script with Node.js?
907
Working with $scope.$emit and $scope.$on
0
Error: Unknown authentication strategy "google" in Passport.js OAuth Setup
Load 4 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.