Query on Google+ deprecation

[Martii]

Does the announcement here mean that this auth won't work any more? I use one Google+ as a test account for our project and it's definitely Google+ related.

Thanks for the insight.

[skogsmaskin]

I can't find any official from Google if/when the Google+ API will be deprecated.

I think the Google+ API is only used in this module in order to fetch the user profile (it doesn't rely on the Goolge+ API for the authentication itself). The profile info URL can be configured to anything using the options.userProfileURL. I'm sure we will get an alternative if the G+ API becomes deprecated. If so, we could be using the mentioned option until this module becomes updated to the eventual Google changes.

[gkwang]

I would recommend using Google's openId connect endpoints (which is also supported; you just need to configure the userProfileUrl) if you're concerned about availability.
https://developers.google.com/identity/protocols/OpenIDConnect
It seems like the deprecation will take place next august, so we have plenty of time.

[Martii]

@gkwang

... recommend using Google's openId connect endpoints...

See our older issue at OpenUserJS/OpenUserJS.org#484 . Historically this would be very bad. We lost a bunch of access to accounts due to that Google deprecation.

@skogsmaskin

Well sometime in the near future I'll see if profile works again with new accounts. The last time I tried that (documented in our issue and pull history) it bombed the server quite nicely. Right now we are set to read only Google auths using profile. e.g. no more new accounts using this auth strategy atm.

[Tenrys]

I've just received an email regarding the deprecation of Google+ APIs altogether, what alternative do we have?

[ggoforth]

The email reads as follows:

Hello Google+ Developer,

We’re writing to let you know that as part of the sunset of the consumer version of Google+, we will be shutting down our Google+ APIs on March 7, 2019. As part of these changes, Google+ Sign-in has been fully deprecated and will also be shut down on March 7, 2019.

What do I need to know?
On March 7, 2019, all Google+ APIs and Google+ Sign-in will be shut down completely. This will be a progressive shutdown beginning in late January, with calls to these APIs starting to intermittently fail as early as January 28, 2019.

What do I need to do?
Please update your projects listed below by March 7, 2019 and ensure they are no longer using Google+ APIs. The data below shows which Google+ API methods your projects have recently called.

Note: If you see calls to people.get, these can be the result of using the Google+ Sign-In feature in your application, which is now fully deprecated and is being shut down. Developers should migrate from the Google+ Sign-In feature to the more comprehensive Google Sign-in authentication system.

Project	Google+ API Name	Version	Method
xxxx (xxxx-123456)	plus	v1	plus.people.get

[keyliin0]

Is there another alternative instead of Google+

[micheldaoud]

yes https://developers.google.com/identity/sign-in/web/sign-in

[ggoforth]

I think the larger question is are we vulnerable just by using this strategy, or is this some specific scope that we are requesting? IE is the passport strategy leveraging something specific to google plus or is it related to requested scopes?

[MarshallOfSound]

Heya folks in this thread,

I've done the heavy googling work for ya 😄 This module already supports using a non-googlePlus strategy for getting profile information.

Check out the docs I added in this PR

#51

[Martii]

@micheldaoud

https://developers.google.com/identity/sign-in/web/sign-in

Interesting. Adding a script to our site in our combined login page is so not going to happen nor is an iframed version of it. This seems like a replica of Mozilla Persona atm to me.

@MarshallOfSound

#51

Appreciate that research and effort. I'm really leery of doing any more changes to google auths on our site right now. I'd actually be happy with deprecating it completely on our site but I'm not at liberty to do that just yet. So if this package can pick up the endpoint needed we'll update our dependencies with that. Otherwise I won't know until the deadline happens on how it affects us. Too many other fires in the kitchen to deal with atm too.

[G-T-P]

I've done the heavy googling work for ya 😄 This module already supports using a non-googlePlus strategy for getting profile information.

Check out the docs I added in this PR

#51

Thank you very much for this PR. I just implemented the few lines that it requires and it worked completely. I could disable the Google + Api in my Google dev console and everything runs smoothly.

[akasai]

Hi there.
I think I can solve this problem by using five callback argument and the userProfileURL option of GoogleSt Strategy.

Google now recommends requesting an ID token and sending that ID token from your client to your server. ID tokens have cross site forgery protections built-in and also can be statically verified on your server, thus avoiding an extra API call to get user profile information from Google’s servers. Follow the instructions for validating ID tokens on your server.
If you would still prefer to use the code flow to obtain profile information, you may do so. Once your server has an access token, you will need to obtain user profile information from the userinfoendpoints specified in our Sign In Discovery document. The API response will be formatted differently than the Google+ profile response, so you will need to update your parsing to the new format.

https://developers.google.com/identity/sign-in/web/quick-migration-guide

Look at the above sentence.
Google recommends requesting an ID token. And Passport-oauth2 is support parameter that shows all information after request. So I could check ID_token and request token validation URL(https://oauth2.googleapis.com/tokeninfo) to validate ID_token. (reference)

In addition, It can check user information using options such as userProfileURL(string) and skipUserProfile(boolean).

I think it'll be able to respond to Google+ with these features.

What do you think about this opinion?

[cbettinger]

Will there be a new release before March 7, 2019?

[MathRobin]

Hi, shutdown will be in 3 days, any update ? Thanks in advance !

[yahharo]

As you can see from this code, if you set up options.userProfileURL, this module will not access the Google+ API.
https://github.com/jaredhanson/passport-google-oauth2/blob/v1.0.0/lib/strategy.js#L54

So, as written in #51, I think that you should add userProfileURL like below:

new GoogleStrategy({
  clientID: GOOGLE_CLIENT_ID,
  clientSecret: GOOGLE_CLIENT_SECRET,
  callbackURL: "http://www.example.com/auth/google/callback",
  // This option tells the strategy to use the userinfo endpoint instead
  userProfileURL: "https://www.googleapis.com/oauth2/v3/userinfo",
}

[cbettinger]

Since calls to the old Google+ API started to intermittently fail in January, I already have applied the aforementioned solution to my project and released a new version. Nevertheless I am interested in the question when a new release of passport-google-oauth2 will be published.

[skdelphix]

As you can see from this code, if you set up options.userProfileURL, this module will not access the Google+ API.
https://github.com/jaredhanson/passport-google-oauth2/blob/v1.0.0/lib/strategy.js#L54

So, as written in #51, I think that you should add userProfileURL like below:

new GoogleStrategy({
  clientID: GOOGLE_CLIENT_ID,
  clientSecret: GOOGLE_CLIENT_SECRET,
  callbackURL: "http://www.example.com/auth/google/callback",
  // This option tells the strategy to use the userinfo endpoint instead
  userProfileURL: "https://www.googleapis.com/oauth2/v3/userinfo",
}

If you make this change, are you then able to disable the API in the Google dashboard without any issues? Is there some Google-side component to configure as a replacement?

I set the userProfileURL as suggested but still see my API usage for Google+ API going up whenever a login occurs on my app.

[yahharo]

@skdelphix

If you make this change, are you then able to disable the API in the Google dashboard without any issues? Is there some Google-side component to configure as a replacement?

At least, in our environment using this module, even if you disable Google+ API, it works fine. 😉

[skdelphix]

@skdelphix

If you make this change, are you then able to disable the API in the Google dashboard without any issues? Is there some Google-side component to configure as a replacement?

At least, in our environment using this module, even if you disable Google+ API, it works fine. 😉

Well there's the problem, I was on version 0.2.0. Updated to 1.0.0 and disabled the API, everything is great now.

[jaredhanson]

passport-google-oauth20@2.0.0 has been published to npm. More information here: https://medium.com/passportjs/google-api-shutdown-330c3b47e3df

[guna-yes]

use userProfileURL: "https://www.googleapis.com/oauth2/v3/userinfo" in your strategy.This will remove google+ authentication and it goes into another endpoint "userinfo".

[Harshit2929]

using userProfileURL: "https://www.googleapis.com/oauth2/v3/userinfo" in strategy works well now also.This will remove google+ authentication and it goes into another endpoint "userinfo".

[sujin-sam]

pls add the solution to the README and to this doc http://www.passportjs.org/packages/passport-google-oauth20/

[aztuhin]

Is it solve this issue?