Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

With Google+ being shutdown, is the OAuth API gone too?

A number of our users authenticate through the Google OAuth API (https://developers.google.com/+/web/api/rest/oauth)

What is the future of the Google's version OAuth API beyond the April 2019?

OAuth aside, we use the following endpoint to obtain the user's email and name: https://www.googleapis.com/plus/v1/people/me once we obtain the access token. Is this endpoint becoming obsolete?

like image 994
Slawomir Avatar asked Dec 11 '18 05:12

Slawomir


People also ask

How long does Google OAuth last?

A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days. There is currently a limit of 100 refresh tokens per Google Account per OAuth 2.0 client ID.

Do I need OAuth for my API?

For your question: If you are building just a basic API, with simple GET and POST requests, then you might want to ask yourself if the data that you are displaying or manipulating requires "security". If not then most likely, you don't need to implement OAuth.

Does Gmail use OAuth?

Gmail uses the OAuth 2.0 protocol for authenticating a Google account and authorizing access to user data. You can also use Google Sign-in to provide a "sign-in with Google" authentication method for your app.

What is the difference between OAuth and OAuth2?

OAuth 2.0 is much more usable, but much more difficult to build securely. Much more flexible. OAuth 1.0 only handled web workflows, but OAuth 2.0 considers non-web clients as well.


2 Answers

Update 12/21/18

Google+ Shutdown Notice

[End Update]

OAuth 2.0 is a service provided by Google Accounts. The end of life for Google+ will not affect OAuth 2.0.

OAuth 2.0 is the foundation authentication service for Google Cloud Platform, G Suite and many other services. OAuth 2.0 is token based, and these tokens can be used on a variety of services, both Google based and third party.

A further question was asked below in the comment section about endpoints.

The Google+ endpoint for user information: googleapis.com/plus/v1/people/me will probably continue to exist for years (awaiting official announcement from Google).

I would start using the Google OAuth 2.0 endpoint (notice the alt=json): https://www.googleapis.com/oauth2/v3/userinfo?alt=json

Which returns Json that looks like this:

{
  "id": "123456789012345678901",
  "email": "[email protected]",
  "verified_email": true,
  "name": "User Name",
  "given_name": "User",
  "family_name": "Name",
  "link": "https://plus.google.com/123456789012345678901",
  "picture": "https://lh3.googleusercontent.com/.../mo/photo.jpg",
  "locale": "en",
  "hd": "example.com"
}

The current list of Google OAuth 2.0 endpoints:

https://accounts.google.com/.well-known/openid-configuration

like image 100
John Hanley Avatar answered Oct 31 '22 07:10

John Hanley


What is the future of OAuth API beyond the April 2019?

Oauth is not an api it is a protocol for authentication. In this instance the authentication response is used to access googles APIs. Googles use of Oauth2 for authentication is not going any where there has been no announcement that it is being discontinued in any way. Nor do i think they would as to my knowledge it is current industry standard for authenticating to APIs

OAuth aside, we use the following endpoint to obtain the user's email and name: https://www.googleapis.com/plus/v1/people/me once we obtain the access token. Is this endpoint

The Google people api may contain the term plus in the url but it does not really have anything to do with Google plus (other than really bad naming).

[Documentation] The People api lets you list and manage the authenticated user's Contacts and retrieve profile information for authenticated users and their contacts.

Which actually has nothing to do with Google plus other than the fact that some of the users profile information may have originally been contained within Google plus which has now been moved i suspect (but i have no proof of that). I did send off an email to google asking for some clarification as to exactly which endpoints are shutting down.

Shutdown

So what is going to happen with the shutdown

  • Google+ will stop working
  • plus.activites will stop working.
  • plus.comments will stop working

What will happen to people overview will be a really good question. They may be renamed however i suspect they may just be left alone to access the google contacts as they do currently. (again i have no proff of this)

Get current user info

If you want to get the information about the current user then an idea would be to use the userinfo endpoint. As long as you requested the profile scope you can request the current users info from the identity server directly

Request:

GET /oauth2/v2/userinfo HTTP/1.1
Host: www.googleapis.com
Content-length: 0
Authorization: Bearer qMgWQHD0MstTDVip7hIYipUpSQkxexF4-W0bI3geEaYk0ztVryYZyFRrZDFWkn69Hw3RlBjfOuXJ8df_iv5ATgW3y0BUkI0xMXeGq22qmfqG-4duSU

Response:

{
  "picture": "https://lh5.googleusercontent.com/-a1CWlFnA5xE/AAAAAAAAAAI/AAAAAAAAl1I/UcwPajZOuN4/photo.jpg", 
  "name": "Linda Lawton", 
  "family_name": "Lawton", 
  "locale": "en", 
  "gender": "female", 
  "link": "https://plus.google.com/+LindaLawton", 
  "given_name": "Linda", 
  "id": "117200475532672775346"
}

I suspect that some of this is going to change. Link for example is not going to be able to link to google plus anymore. I think i will send off an email to google to see what they intend to do about that.

Email will only appear in the response if you have also requested email scope when authenticating the user.

update

blog post on api shutdown just went out and gives information on what APIs are being shut down and when.

The most commonly used APIs that are being shut down include:

  • Google+ REST API

  • Google+ Web API

  • Google+ Android SDK

  • Google+ Domains API

  • Google+ Pages API

This still doesn't clear up the issue with the people API being Google contacts yet part of the Google+ rest API

https://developers.googleblog.com/2018/12/google-apis-shutting-down-march-7-2019.html?m=1

like image 26
DaImTo Avatar answered Oct 31 '22 07:10

DaImTo