Google's oauth2 endpoint - v1 vs v2 changes?

Question

I know that this is something like a 'RTFM' question, but I can't for the life of me find solid documentation about this.

Specifically, I have a service that uses google's oauth2 REST api to authenticate users. The library I'm using (bell), recently started making calls to the /v2 version of the API endpoint. Those calls no longer seem to support approval_prompt=force in the querystring (or something along those lines, I'm no longer able to use a special route to force a new refresh token).

Realistically, all I need to do is read the documentation for what changed from v1 to v2 of the oauth2 library, or even find v2-specific information. All the documentation on developers.google.com seems to be about the v1 api.

Answer 1

There is no documented list of changes at present. The main changes from/auth to v2/auth, and v3/token to v4/token is that the newer versions are certified compliant with OpenID Connect. The earlier versions had a few inconsistencies with the spec, mostly because when Google launched them the spec was not yet final.

approval_prompt is now prompt. To get your approval_prompt=force behavior on the newer endpoint, specify prompt=consent. Other values for the prompt parameter are defined in section 3.1.2.1 of the spec.

Other changes, in no particular order:

1. the ID Token iss value is now https://accounts.google.com, was accounts.google.com
2. nonce is required for implicit and hybrid flows
3. ID tokens on the newer endpoints may contain profile claims (if the profile scope was requested), saving a call to userinfo.