Starting the week of May 1 2025, we will roll out consent unbundling for OAuth user authentication to all Google Cloud projects which were created before 2019. If you own an application that uses an Ads-related API through a Google Cloud project created before 2019, you may need to update your application to handle unbundled user consent before May 1 2025.
Background
Consent unbundling for OAuth user authentication flow allows users to customize which specific OAuth scopes they want to authorize your application for, rather than an all-or-nothing approach. All the Google Cloud console projects created since 2019 have this feature turned on, whereas all the projects created before 2019 have this feature turned off.
The following screenshot shows the difference between an all-or-nothing consent prompt, and an unbundled consent prompt.
Figure 1: All-or-nothing consent screen. Users aren’t allowed to choose from a list of OAuth scopes.
Figure 2: Unbundled consent screen. Users are allowed to choose from a list of OAuth scopes.Who is affected by this change?
You will be affected by this change if ALL of the following conditions are met:
- Your API application uses a Google Cloud Console project that was created before 2019.
- Your application implements the OAuth 2.0 user consent flow – an authentication workflow where the user logs in with their Google account and grants one or more permissions that your application is requesting.
- Your application uses more than one Google API, and one of the APIs is an Ads-related API listed below.
- Existing refresh tokens: This change doesn’t affect user authentications that you already have in place. Your existing refresh tokens will continue to work without any changes or re-authentication.
- Single scope applications: If your application uses only one Google API scope, your application isn’t affected by this change, since there aren’t multiple OAuth scope to unbundle.
- Single user applications / Manually authenticated applications: Your application doesn’t have an explicit OAuth user authentication flow implemented. Instead, you use a manual authentication script such as GenerateUserCredentials, gcloud CLI or OAuth Playground to authenticate the user, and then use those credentials for a long period of time. Since you select all the scopes that your application requires while authenticating, your application isn’t affected by this change.
- Service accounts: If your application uses a service account to authenticate your API calls, you won’t be affected by this change
What do I need to do?
You need to ensure that your application can handle partial user consent. To do this,
- Request the list of OAuth scopes that the user consented to by including the
include_granted_scopesparameter in your OAuth flow. - Examine the actual list of OAuth scopes that the user consented in the OAuth response.
- Implement incremental authorization in your application.
How do I test this feature?
There are two ways to test this feature:
- Create a new Google Cloud project: New Google Cloud projects have enabled OAuth consent unbundling. So you can create a new Google Cloud project, and use it for testing your application.
- Enable consent unbundling in your existing project: You can set the
enable_granular_consentparameter to true in your OAuth authorization request.
The following APIs related to Ads are affected by this change.
How to get help
If you have any questions or need help, reach out to your respective API’s support team with your questions.
- Anash P. Oommen, Google Ads API Team