New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Announcement] Google+ based auth deprecation and replacement #6486

Open
Tratcher opened this Issue Jan 8, 2019 · 12 comments

Comments

Projects
None yet
4 participants
@Tratcher
Copy link
Member

Tratcher commented Jan 8, 2019

Google is starting to shut down Google+ Signin for applications as early as January 28th 2019. ASP.NET and ASP.NET Core have been using the Google+ Signin APIs to authenticate Google account users in web applications. The affected NuGet packages are Microsoft.AspNetCore.Authentication.Google for ASP.NET Core and Microsoft.Owin.Security.Google for Microsoft.Owin with ASP.NET Web Forms and MVC. Mitigations and solutions will vary depending on which package and which version of that package you use.

Note that the replacement APIs Google has provided use a different data source and format. The mitigations and solutions given below account for the structural changes but applications will need to verify the data itself still satisfies their requirements. E.g. names, e-mail addresses, profile links, profile photos, etc. may provide subtly different values than before.

Microsoft.Owin with ASP.NET Web Forms and MVC

For Microsoft.Owin 3.1.0 and later a temporary mitigation is outlined here. Applications should do immediate testing with the mitigation to check for changes in the data format. We'll plan to release Microsoft.Owin 4.0.1 with a fix for this as soon as possible. Applications using any prior version will need to update to 4.0.1.

ASP.NET Core 1.x

The mitigation given above for Microsoft.Owin can also be adapted for ASP.NET Core 1.x. As 1.x is nearing end of life and has low usage there are no plans to patch the NuGet packages for this issue.

ASP.NET Core 2.x

For Microsoft.AspNetCore.Authentication.Google 2.x the mitigation is to replace your existing call to AddGoogle in Startup with:

            .AddGoogle(o =>
            {
                o.ClientId = Configuration["Authentication:Google:ClientId"];
                o.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
                o.UserInformationEndpoint = "https://www.googleapis.com/oauth2/v2/userinfo";
                o.ClaimActions.Clear();
                o.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "id");
                o.ClaimActions.MapJsonKey(ClaimTypes.Name, "name");
                o.ClaimActions.MapJsonKey(ClaimTypes.GivenName, "given_name");
                o.ClaimActions.MapJsonKey(ClaimTypes.Surname, "family_name");
                o.ClaimActions.MapJsonKey("urn:google:profile", "link");
                o.ClaimActions.MapJsonKey(ClaimTypes.Email, "email");
            });

Applications should do immediate testing with the mitigation to check for changes in the data format. Expect a fix for this to be included in the February 2.1 and 2.2 patches that incorperates the above reconfiguration as the new defaults. No patch is planned for 2.0 since it has reached end of life.

ASP.NET Core 3.0 Preview

The mitigation given for 2.x can also be used for the current 3.0 preview. In future 3.0 previews we're considering removing the Microsoft.AspNetCore.Authentication.Google package and directing users to Microsoft.AspNetCore.Authentication.OpenIdConnect instead. We'll follow up with the final plan. Here's how to replace AddGoogle with AddOpenIdConnect in Startup. This replacement can be used with ASP.NET Core 2.0 and later and can be adapted for 1.x as needed.

            .AddOpenIdConnect("Google", o =>
            {
                o.ClientId = Configuration["Authentication:Google:ClientId"];
                o.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
                o.Authority = "https://accounts.google.com";
                o.ResponseType = OpenIdConnectResponseType.Code;
                o.CallbackPath = "/signin-google"; // Or register the default "/sigin-oidc"
                o.Scope.Add("email");
            });
            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

@Tratcher Tratcher added this to the Discussions milestone Jan 8, 2019

MichaelPetrinolis added a commit to MichaelPetrinolis/OrchardCore that referenced this issue Jan 9, 2019

@JesperNoerregaard

This comment has been minimized.

@Tratcher

This comment has been minimized.

Copy link
Member Author

Tratcher commented Jan 9, 2019

These two lines might need to change, but that's about it:

o.Scope.Add("https://www.googleapis.com/auth/plus.login");
o.ClaimActions.MapJsonKey(ClaimTypes.Gender, "gender");

@devSoheilAlizadeh

This comment was marked as resolved.

Copy link

devSoheilAlizadeh commented Jan 12, 2019

Is this just about AddGoogle?
There are more methods like AddTwitter,AddFacebook,AddMicrosoftAccount.

@Tratcher

This comment was marked as resolved.

Copy link
Member Author

Tratcher commented Jan 12, 2019

Correct, only Google.

@Tratcher

This comment has been minimized.

Copy link
Member Author

Tratcher commented Jan 24, 2019

Update:

Microsoft.Owin.Security.Google 4.0.1 has been published to nuget.org with this fix.

The fix will be available soon in ASP.NET Core 3.0.0-preview2.

The ASP.NET Core 2.1 and 2.2 patches are expected as part of the normal February patch release.

@mattgenious

This comment has been minimized.

Copy link

mattgenious commented Feb 14, 2019

The method for ASP.NET Core 2.x seems to only be getting nameidentifier and name (that is actually the email address). I might be mistaken but I can't find given_name, family_name, link or the actual email field in the claims returned.

@Tratcher

This comment has been minimized.

Copy link
Member Author

Tratcher commented Feb 14, 2019

@mattgenious Are you looking under these claim types?

ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "id");
ClaimActions.MapJsonKey(ClaimTypes.Name, "name");
ClaimActions.MapJsonKey(ClaimTypes.GivenName, "given_name");
ClaimActions.MapJsonKey(ClaimTypes.Surname, "family_name");
ClaimActions.MapJsonKey("urn:google:profile", "link");
ClaimActions.MapJsonKey(ClaimTypes.Email, "email");

@mattgenious

This comment has been minimized.

Copy link

mattgenious commented Feb 14, 2019

Yes, when I check at runtime what actually is retrieved the result is as I described. But again, I might be missing something or misunderstanding something.

@Tratcher

This comment has been minimized.

Copy link
Member Author

Tratcher commented Feb 14, 2019

Is it an account specific issue? Do you get the same behavior with other accounts?

@mattgenious

This comment has been minimized.

Copy link

mattgenious commented Feb 14, 2019

I’ll get back to you on that as I’ve only tried with g suite accounts until now.

@mattgenious

This comment has been minimized.

Copy link

mattgenious commented Feb 15, 2019

Tested it and I'm seeing the same results for both g suite and standard google accounts.

@mattgenious

This comment has been minimized.

Copy link

mattgenious commented Feb 15, 2019

Found my mistake, I was not correctly persisting the claims, so at runtime I was not getting them because they were not persisted in my db. Sorry about that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment