Google Calendar OAuth Scope Request

Hi -

Currently the Google Calendar OAuth API asks for the following permission from the users: “See, edit, share, and permanently delete all the calendars you can access using Google Calendar”

This “reads” very intrusive and might raise concerns with some privacy focused users - especially “permanently delete all the calendars” part. Is there a need to get the maximum scope permission for users calendar management?

Is it possible for Jitsi to manage with just “read and update” scope for Calendar? If yes, can I make the change in the code directly without npm and install? Thank you!

Hi there!

Currently we are using the https://www.googleapis.com/auth/calendar scope. Looking at https://developers.google.com/calendar/auth I think we might be able to work with https://www.googleapis.com/auth/calendar.readonly and https://www.googleapis.com/auth/calendar.events

What we need is basically to list events and modify them. It’s possible it works with those 2 alone. The change needs to happen here: https://github.com/jitsi/jitsi-meet/blob/4c065f2de161ad7e22481cf263fb96ba7f15fc3f/react/features/google-api/googleApi.web.js#L68 but you’ll need to rebuilt Jitsi Meet in order to test it out.

@damencho (when you’re back, no rush) Do you remember why we chose the broadest scope and do you think my reasoning above makes sense?

1 Like

Hi @saghul

Thank you for the pointers.

It worked with just this scope request https://www.googleapis.com/auth/calendar.events. I’m able to view and edit calendar.

Your link the file above is looking for constants defined here https://github.com/jitsi/jitsi-meet/blob/4c065f2de161ad7e22481cf263fb96ba7f15fc3f/react/features/google-api/constants.js#L64

Thanks for giving it a shot! Can you send a PR so we can discuss making the change?

Sure thing @saghul. I don’t know how to create the PR but I will look into it and send one soon.

1 Like

Please note that the following scopes are required for Google calendar to work with Jitsi as @saghul pointed out above. Just calendar.events alone is not enough.

https://www.googleapis.com/auth/calendar.readonly AND
https://www.googleapis.com/auth/calendar.events

Shrinking the scopes used seems fine. We will just have problem after updating meet.jit.si, as it will start showing unverified app window for new users that give access to the calendar, till we not change it and send a video to Google how to test it and what does it looks like.

Thanks for chiming in @damencho!