Is “profile” scope required for Google OAuth2.0?

Question

I'm currently trying to allow users of my application to authorize my app to access their Doubleclick for Advertisers API. I'm handling this authorization using Passport.js. When I include both the profile scope and DFA scope like this:

  app.get '/requestAccess', passport.authenticate 'dfa',
    scope: [
      'https://www.googleapis.com/auth/dfatrafficking',
      'profile'
    ]

This works fine. However, I only care about the DFA api, and I don't actually intend on using anything from the profile scope, so I'd like to remove that:

  app.get '/requestAccess', passport.authenticate 'dfa',
    scope: [
      'https://www.googleapis.com/auth/dfatrafficking',
    ]

When I authorize using this route now, I get:

 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "insufficientPermissions",
    "message": "Insufficient Permission"
   }
  ],
  "code": 403,
  "message": "Insufficient Permission"
 }
}

Which comes from Google, meaning that the scope I requested with was insufficient. Is the profile scope required then for any kind of additional access? Why can't I only request the DFA scope?

Answer 1

No, the scope "profile" is not required for Google OAuth 2.0.

If you merely want the authorization for DFA API, you only need this scope https://www.googleapis.com/auth/dfatrafficking(as official doc says, and this java sample only use this scope)

The reason you get "Insufficient Permission" is when you use passport.authenticate 'dfa' authentication using an OAuth provider(in you case, it's Google) is performed, where the scope "profile" is required(as this doc says, "profile" is basic scope for login)