Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Query on Google+ deprecation #50

Closed
Martii opened this issue Oct 8, 2018 · 20 comments

Comments

Projects
None yet
@Martii
Copy link

commented Oct 8, 2018

Does the announcement here mean that this auth won't work any more? I use one Google+ as a test account for our project and it's definitely Google+ related.

Thanks for the insight.

@skogsmaskin

This comment has been minimized.

Copy link

commented Oct 15, 2018

I can't find any official from Google if/when the Google+ API will be deprecated.

I think the Google+ API is only used in this module in order to fetch the user profile (it doesn't rely on the Goolge+ API for the authentication itself). The profile info URL can be configured to anything using the options.userProfileURL. I'm sure we will get an alternative if the G+ API becomes deprecated. If so, we could be using the mentioned option until this module becomes updated to the eventual Google changes.

@gkwang

This comment has been minimized.

Copy link

commented Oct 15, 2018

I would recommend using Google's openId connect endpoints (which is also supported; you just need to configure the userProfileUrl) if you're concerned about availability.
https://developers.google.com/identity/protocols/OpenIDConnect
It seems like the deprecation will take place next august, so we have plenty of time.

@Martii

This comment has been minimized.

Copy link
Author

commented Oct 15, 2018

@gkwang

... recommend using Google's openId connect endpoints...

See our older issue at OpenUserJS/OpenUserJS.org#484 . Historically this would be very bad. We lost a bunch of access to accounts due to that Google deprecation.

@skogsmaskin

Well sometime in the near future I'll see if profile works again with new accounts. The last time I tried that (documented in our issue and pull history) it bombed the server quite nicely. Right now we are set to read only Google auths using profile. e.g. no more new accounts using this auth strategy atm.

@Tenrys

This comment has been minimized.

Copy link

commented Dec 20, 2018

I've just received an email regarding the deprecation of Google+ APIs altogether, what alternative do we have?

@ggoforth

This comment has been minimized.

Copy link

commented Dec 20, 2018

The email reads as follows:

Hello Google+ Developer,

We’re writing to let you know that as part of the sunset of the consumer version of Google+, we will be shutting down our Google+ APIs on March 7, 2019. As part of these changes, Google+ Sign-in has been fully deprecated and will also be shut down on March 7, 2019.

What do I need to know?
On March 7, 2019, all Google+ APIs and Google+ Sign-in will be shut down completely. This will be a progressive shutdown beginning in late January, with calls to these APIs starting to intermittently fail as early as January 28, 2019.

What do I need to do?
Please update your projects listed below by March 7, 2019 and ensure they are no longer using Google+ APIs. The data below shows which Google+ API methods your projects have recently called.

Note: If you see calls to people.get, these can be the result of using the Google+ Sign-In feature in your application, which is now fully deprecated and is being shut down. Developers should migrate from the Google+ Sign-In feature to the more comprehensive Google Sign-in authentication system.

Project Google+ API Name Version Method
xxxx (xxxx-123456) plus v1 plus.people.get
@keyliin0

This comment has been minimized.

Copy link

commented Dec 20, 2018

Is there another alternative instead of Google+

@micheldaoud

This comment has been minimized.

@ggoforth

This comment has been minimized.

Copy link

commented Dec 20, 2018

I think the larger question is are we vulnerable just by using this strategy, or is this some specific scope that we are requesting? IE is the passport strategy leveraging something specific to google plus or is it related to requested scopes?

@MarshallOfSound

This comment has been minimized.

Copy link

commented Dec 21, 2018

Heya folks in this thread,

I've done the heavy googling work for ya 😄 This module already supports using a non-googlePlus strategy for getting profile information.

Check out the docs I added in this PR

#51

@Martii

This comment has been minimized.

Copy link
Author

commented Dec 21, 2018

@micheldaoud

https://developers.google.com/identity/sign-in/web/sign-in

Interesting. Adding a script to our site in our combined login page is so not going to happen nor is an iframed version of it. This seems like a replica of Mozilla Persona atm to me.

@MarshallOfSound

#51

Appreciate that research and effort. I'm really leery of doing any more changes to google auths on our site right now. I'd actually be happy with deprecating it completely on our site but I'm not at liberty to do that just yet. So if this package can pick up the endpoint needed we'll update our dependencies with that. Otherwise I won't know until the deadline happens on how it affects us. Too many other fires in the kitchen to deal with atm too.

@G-T-P

This comment has been minimized.

Copy link

commented Dec 21, 2018

I've done the heavy googling work for ya 😄 This module already supports using a non-googlePlus strategy for getting profile information.

Check out the docs I added in this PR

#51

Thank you very much for this PR. I just implemented the few lines that it requires and it worked completely. I could disable the Google + Api in my Google dev console and everything runs smoothly.

@akasai

This comment has been minimized.

Copy link

commented Jan 25, 2019

Hi there.
I think I can solve this problem by using five callback argument and the userProfileURL option of GoogleSt Strategy.

Google now recommends requesting an ID token and sending that ID token from your client to your server. ID tokens have cross site forgery protections built-in and also can be statically verified on your server, thus avoiding an extra API call to get user profile information from Google’s servers. Follow the instructions for validating ID tokens on your server.
If you would still prefer to use the code flow to obtain profile information, you may do so. Once your server has an access token, you will need to obtain user profile information from the userinfoendpoints specified in our Sign In Discovery document. The API response will be formatted differently than the Google+ profile response, so you will need to update your parsing to the new format.

https://developers.google.com/identity/sign-in/web/quick-migration-guide

Look at the above sentence.
Google recommends requesting an ID token. And Passport-oauth2 is support parameter that shows all information after request. So I could check ID_token and request token validation URL(https://oauth2.googleapis.com/tokeninfo) to validate ID_token. (reference)

In addition, It can check user information using options such as userProfileURL(string) and skipUserProfile(boolean).

I think it'll be able to respond to Google+ with these features.

What do you think about this opinion?

@cbettinger

This comment has been minimized.

Copy link

commented Feb 20, 2019

Will there be a new release before March 7, 2019?

@MathRobin

This comment has been minimized.

Copy link

commented Mar 4, 2019

Hi, shutdown will be in 3 days, any update ? Thanks in advance !

@yahharo

This comment has been minimized.

Copy link

commented Mar 5, 2019

As you can see from this code, if you set up options.userProfileURL, this module will not access the Google+ API.
https://github.com/jaredhanson/passport-google-oauth2/blob/v1.0.0/lib/strategy.js#L54

So, as written in #51, I think that you should add userProfileURL like below:

new GoogleStrategy({
  clientID: GOOGLE_CLIENT_ID,
  clientSecret: GOOGLE_CLIENT_SECRET,
  callbackURL: "http://www.example.com/auth/google/callback",
  // This option tells the strategy to use the userinfo endpoint instead
  userProfileURL: "https://www.googleapis.com/oauth2/v3/userinfo",
}
@cbettinger

This comment has been minimized.

Copy link

commented Mar 5, 2019

Since calls to the old Google+ API started to intermittently fail in January, I already have applied the aforementioned solution to my project and released a new version. Nevertheless I am interested in the question when a new release of passport-google-oauth2 will be published.

@skdelphix

This comment has been minimized.

Copy link

commented Mar 5, 2019

As you can see from this code, if you set up options.userProfileURL, this module will not access the Google+ API.
https://github.com/jaredhanson/passport-google-oauth2/blob/v1.0.0/lib/strategy.js#L54

So, as written in #51, I think that you should add userProfileURL like below:

new GoogleStrategy({
  clientID: GOOGLE_CLIENT_ID,
  clientSecret: GOOGLE_CLIENT_SECRET,
  callbackURL: "http://www.example.com/auth/google/callback",
  // This option tells the strategy to use the userinfo endpoint instead
  userProfileURL: "https://www.googleapis.com/oauth2/v3/userinfo",
}

If you make this change, are you then able to disable the API in the Google dashboard without any issues? Is there some Google-side component to configure as a replacement?

I set the userProfileURL as suggested but still see my API usage for Google+ API going up whenever a login occurs on my app.

@yahharo

This comment has been minimized.

Copy link

commented Mar 6, 2019

@skdelphix

If you make this change, are you then able to disable the API in the Google dashboard without any issues? Is there some Google-side component to configure as a replacement?

At least, in our environment using this module, even if you disable Google+ API, it works fine. 😉

@skdelphix

This comment has been minimized.

Copy link

commented Mar 6, 2019

@skdelphix

If you make this change, are you then able to disable the API in the Google dashboard without any issues? Is there some Google-side component to configure as a replacement?

At least, in our environment using this module, even if you disable Google+ API, it works fine. 😉

Well there's the problem, I was on version 0.2.0. Updated to 1.0.0 and disabled the API, everything is great now.

@jaredhanson

This comment has been minimized.

Copy link
Owner

commented Mar 9, 2019

passport-google-oauth20@2.0.0 has been published to npm. More information here: https://medium.com/passportjs/google-api-shutdown-330c3b47e3df

@jaredhanson jaredhanson closed this Mar 9, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.