Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Google's oauth2 endpoint - v1 vs v2 changes?

Tags:

google-api

google-oauth

hapi.js

I know that this is something like a 'RTFM' question, but I can't for the life of me find solid documentation about this.

Specifically, I have a service that uses google's oauth2 REST api to authenticate users. The library I'm using (bell), recently started making calls to the /v2 version of the API endpoint. Those calls no longer seem to support approval_prompt=force in the querystring (or something along those lines, I'm no longer able to use a special route to force a new refresh token).

Realistically, all I need to do is read the documentation for what changed from v1 to v2 of the oauth2 library, or even find v2-specific information. All the documentation on developers.google.com seems to be about the v1 api.

like image 521
pfooti Avatar asked Oct 14 '15 23:10

pfooti

People also ask

What is Google's OAuth 2.0 policy?

OAuth 2.0 clients for web apps must use redirect URIs and JavaScript origins that are compliant with Google's validation rules, including using the HTTPS scheme. Google may reject OAuth requests that don't originate from or resolve to a secure context.

What is the difference between auth1 and auth2?

Once the token was generated, OAuth 1.0 required that the client send two security tokens on every API call, and use both to generate the signature. OAuth 2.0 has only one security token, and no signature is required.

Is oauth1 deprecated?

OAuth 1 Deprecation. Starting November 30, 2022, API keys will be sunset as an authentication method. Learn more about this change and how to migrate an API key integration to use a private app instead.

How long does a Google oauth2 token last?

A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days. There is currently a limit of 100 refresh tokens per Google Account per OAuth 2.0 client ID.

1 Answers

There is no documented list of changes at present. The main changes from/auth to v2/auth, and v3/token to v4/token is that the newer versions are certified compliant with OpenID Connect. The earlier versions had a few inconsistencies with the spec, mostly because when Google launched them the spec was not yet final.

approval_prompt is now prompt. To get your approval_prompt=force behavior on the newer endpoint, specify prompt=consent. Other values for the prompt parameter are defined in section 3.1.2.1 of the spec.

Other changes, in no particular order:

  1. the ID Token iss value is now https://accounts.google.com, was accounts.google.com
  2. nonce is required for implicit and hybrid flows
  3. ID tokens on the newer endpoints may contain profile claims (if the profile scope was requested), saving a call to userinfo.
like image 55
William Denniss Avatar answered Sep 29 '22 20:09

William Denniss
Sign in to Comment

Related questions

Get the list of action items from Google Drive API
Google calendar v3 returns 403 Insufficient Permission
Execute a forEach like a waterfall in async
How to do a Google Image Search in an android app
Google API/get directory contacts
Spring : Google authentication redirect_uri_mismatch and URL wont open on browser
YouTube API 'The user is not enabled for live streaming' while the user is
Why is it a bad idea to use ClientLogin for web apps in the Google API?
Google Calendar API OAuth2 Troubles on Android Honeycomb
OAuth 2.0 (Google API) authentication from a WPF desktop application
Getting Google Contacts using LightOpenID?
How can I use Google Spreadsheet API from Go?
access google api's from local html/javascript (without webserver)
Google OAuth2 redirect_uri_mismatch Issue
Sending email notifications for Events via Google Calendar API
OAuth 2 Authorization Code - how long is it valid?
Gmail sends email with wrong name
Newline for Google Calendar Api?
Get Userinfo from Oauth2 Google Contacts API
Google Trends Quota Limit

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!