Requesting Additional Scopes

For the best user experience, you should request as few scopes as possible when initially signing in users. If your app's core functionality isn't tied to a Google service, the GoogleSignInOptions.DEFAULT_SIGN_IN configuration is often all you need at sign-in.

If your app has features that can make use of Google API data, but are not required as part of your app's core functionality, you should design your app to be able to gracefully handle cases when API data isn't accessible. For example, you might hide a list of recently saved files when the user hasn't granted Drive access.

You should request additional scopes that you need to access Google APIs only when the user performs an action that requires access to a particular API. For example, you might request permission to access the user's Drive only when the user taps a "Save to Drive" button for the first time.

By using this technique, you can avoid overwhelming new users, or confusing users as to why they are being asked for certain permissions.

Requesting permissions required by user actions

Whenever a user performs an action that requires a scope that isn't requested at sign-in, call GoogleSignIn.hasPermissions to check if the user has already granted the required permissions. If not, call GoogleSignIn.requestPermissions to launch an activity that requests the additional required scopes from the user.

For example, if a user performs an action that requires access to their Drive app storage, do the following:

if (!GoogleSignIn.hasPermissions(
        GoogleSignIn.getLastSignedInAccount(getActivity()),
        Drive.SCOPE_APPFOLDER)) {
    GoogleSignIn.requestPermissions(
            MyExampleActivity.this,
            RC_REQUEST_PERMISSION_SUCCESS_CONTINUE_FILE_CREATION,
            GoogleSignIn.getLastSignedInAccount(getActivity()),
            Drive.SCOPE_APPFOLDER);
} else {
    saveToDriveAppFolder();
}

In your activity's onActivityResult callback, you can check if the required permissions were successfully acquired, and if so, carry out the user action.

@Override
public void onActivityResult(int requestCode, int resultCode, Intent data) {
    super.onActivityResult(requestCode, resultCode, data);
    if (resultCode == Activity.RESULT_OK) {
        if (RC_REQUEST_PERMISSION_SUCCESS_CONTINUE_FILE_CREATION == requestCode) {
            saveToDriveAppFolder();
        }
    }
}

You can also pass a GoogleSignInOptionsExtension to hasPermissions and requestPermissions to check for and acquire a set of permissions more conveniently.