Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

TLDR: Pokemon Go can't read your gmail - I checked

Pokemon tokens are requested with these understandable scopes:

Here is the actual URL that loads in the webview on iOS: https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://accounts.google.com/o/oauth2/programmatic_auth?scope%3Dopenid%2Bemail%2Bhttps://www.google.com/accounts/OAuthLogin%2Bhttps://www.googleapis.com/auth/userinfo.email%26client_id%3D848232511240-73ri3t7plvk96pj4f85uj8otdat2alem.apps.googleusercontent.com%26from_login%3D1%26as%3D-....&ltmpl=embedded&oauth=1&sarp=1&scc=1

Pokemon Google App Info:

  • Client ID: 848232511240-73ri3t7plvk96pj4f85uj8otdat2alem.apps.googleusercontent.com
  • Client Secret: NCjF1TLi.............

Going through the auth process on the device yields a bearer token at the end of the exchange with access to: (according to google, google's oauth playground, and token info)

// API callback
{
 "issued_to": "848232511240-73ri3t7plvk96pj4f85uj8otdat2alem.apps.googleusercontent.com",
 "audience": "848232511240-73ri3t7plvk96pj4f85uj8otdat2alem.apps.googleusercontent.com",
 "scope": "https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/userinfo.email https://www.google.com/accounts/OAuthLogin",
 "expires_in": 3472,
 "email": "itme@gmail.com",
 "verified_email": true,
 "access_type": "offline"
}

List of all services that this can be used by according to google

Google Apps Script Execution API v1

  • Run Scripts Runs a function in an Apps Script project that has been deployed for use with the Apps Script Execution API. This method requires authorization with an OAuth 2.0 token that includes at least one of the scopes listed in the Authentication section; script projects that do not require authorization cannot be executed through this API. To find the correct scopes to include in the authentication token, open the project in the script editor, then select File > Project properties and click the Scopes tab.

Google Dataflow API v1b3

  • Jobs Projects Creates a dataflow job.
  • Jobs Projects Gets the state of the specified dataflow job.
  • Jobs Projects Request the job status.
  • Jobs Projects List the jobs of a project
  • Jobs Projects Request the job status.
  • Jobs Projects Updates the state of an existing dataflow job.
  • Jobs Projects Leases a dataflow WorkItem to run.
  • Jobs Projects Reports the status of dataflow WorkItems leased by a worker.
  • WorkerMessages ProjectsSend a worker_message to the service.

Google People API v1

  • Get People Provides information about a person resource for a resource name. Use people/me to indicate the authenticated user.
  • GetBatch Get People Provides information about a list of specific people by specifying a list of requested resource names. Use people/me to indicate the authenticated user.

Google+ Domains API v1

  • Get Activities Get an activity.
  • Insert Activities Create a new activity for the authenticated user.
  • List Activities List all of the activities in the specified collection for a particular user.
  • List Audiences List all of the audiences to which a user can share.
  • Insert Circles Create a new circle for the authenticated user.
  • List Circles List all of the circles for a user.
  • Insert Media Add a new media item to an album. The current upload size limitations are 36MB for a photo and 1GB for a video. Uploads do not count against quota if photos are less than 2048 pixels on their longest side or videos are less than 15 minutes in length.
  • Get People Get a person's profile.
  • List People List all of the people in the specified collection.

Consumer Surveys API v2

  • Get Mobileapppanels Retrieves a MobileAppPanel that is available to the authenticated user.
  • List Mobileapppanels Lists the MobileAppPanels available to the authenticated user.
  • Update Mobileapppanels Updates a MobileAppPanel. Currently the only property that can be updated is the owners property.
  • Get Results Retrieves any survey results that have been produced so far. Results are formatted as an Excel file.
  • Get Surveys Retrieves information about the specified survey.
  • Insert Surveys Creates a survey.
  • List Surveys Lists the surveys owned by the authenticated user.
  • Start Surveys Begins running a survey.
  • Stop Surveys Stops a running survey.
  • Update Surveys Updates a survey. Currently the only property that can be updated is the owners property.

Google+ API v1

  • Get Activities Get an activity.
  • List Activities List all of the activities in the specified collection for a particular user.
  • Search Activities Search public activities.
  • Get Comments Get a comment.
  • List Comments List all of the comments for an activity.
  • Get People Get a person's profile. If your app uses scope https://www.googleapis.com/auth/plus.login, this method is guaranteed to return ageRange and language.
  • List People List all of the people in the specified collection.
  • ListByActivity People List all of the people in the specified collection for a particular activity.
  • Search People Search all public profiles.

Google OAuth2 API v2

  • Get Userinfo
  • V2 Userinfo

Conclusion

"Full account access" is not the best wording, and should probably be changed on google's end. Also apps that have an auth flow to a website should always show the url, and identity providers should always prompt if more-than-usual permissions are asked for.

My best guess for what is happening is that one of the scopes is a legacy "login" scope from OAuth1 which may be leading the UI to default to "Full account access", when in reality, it only has the above perms.

I also manually validated my bearer token that was generated from this process against gmail, and it errors out with a 403.

If anyone has more info about https://www.google.com/accounts/OAuthLogin and what it used to be used for, please send me resources as I couldn't really find much on the internet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.