Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Query on Google+ deprecation #50

Closed
Martii opened this issue Oct 8, 2018 · 24 comments
Closed

Query on Google+ deprecation #50

Martii opened this issue Oct 8, 2018 · 24 comments

Comments

@Martii
Copy link

Martii commented Oct 8, 2018
edited
Loading

Does the announcement here mean that this auth won't work any more? I use one Google+ as a test account for our project and it's definitely Google+ related.

Thanks for the insight.
@Martii Martii mentioned this issue Oct 8, 2018
Closed
@skogsmaskin
Copy link

skogsmaskin commented Oct 15, 2018
edited
Loading

I can't find any official from Google if/when the Google+ API will be deprecated.

I think the Google+ API is only used in this module in order to fetch the user profile (it doesn't rely on the Goolge+ API for the authentication itself). The profile info URL can be configured to anything using the options.userProfileURL. I'm sure we will get an alternative if the G+ API becomes deprecated. If so, we could be using the mentioned option until this module becomes updated to the eventual Google changes.

@gkwang
Copy link

gkwang commented Oct 15, 2018
edited
Loading

I would recommend using Google's openId connect endpoints (which is also supported; you just need to configure the userProfileUrl) if you're concerned about availability.
https://developers.google.com/identity/protocols/OpenIDConnect
It seems like the deprecation will take place next august, so we have plenty of time.

@Martii
Copy link
Author

Martii commented Oct 15, 2018
edited
Loading

@gkwang

... recommend using Google's openId connect endpoints...

See our older issue at OpenUserJS/OpenUserJS.org#484 . Historically this would be very bad. We lost a bunch of access to accounts due to that Google deprecation.

@skogsmaskin

Well sometime in the near future I'll see if profile works again with new accounts. The last time I tried that (documented in our issue and pull history) it bombed the server quite nicely. Right now we are set to read only Google auths using profile. e.g. no more new accounts using this auth strategy atm.

@Tenrys
Copy link

Tenrys commented Dec 20, 2018

I've just received an email regarding the deprecation of Google+ APIs altogether, what alternative do we have?

@ggoforth
Copy link

The email reads as follows:

Hello Google+ Developer,

We’re writing to let you know that as part of the sunset of the consumer version of Google+, we will be shutting down our Google+ APIs on March 7, 2019. As part of these changes, Google+ Sign-in has been fully deprecated and will also be shut down on March 7, 2019.

What do I need to know?
On March 7, 2019, all Google+ APIs and Google+ Sign-in will be shut down completely. This will be a progressive shutdown beginning in late January, with calls to these APIs starting to intermittently fail as early as January 28, 2019.

What do I need to do?
Please update your projects listed below by March 7, 2019 and ensure they are no longer using Google+ APIs. The data below shows which Google+ API methods your projects have recently called.

Note: If you see calls to people.get, these can be the result of using the Google+ Sign-In feature in your application, which is now fully deprecated and is being shut down. Developers should migrate from the Google+ Sign-In feature to the more comprehensive Google Sign-in authentication system.

Project Google+ API Name Version Method
xxxx (xxxx-123456) plus v1 plus.people.get

@keyliin0
Copy link

Is there another alternative instead of Google+

@micheldaoud
Copy link

yes https://developers.google.com/identity/sign-in/web/sign-in

@ggoforth
Copy link

I think the larger question is are we vulnerable just by using this strategy, or is this some specific scope that we are requesting? IE is the passport strategy leveraging something specific to google plus or is it related to requested scopes?

@MarshallOfSound
Copy link

Heya folks in this thread,

I've done the heavy googling work for ya 😄 This module already supports using a non-googlePlus strategy for getting profile information.

Check out the docs I added in this PR

#51

@Martii
Copy link
Author

Martii commented Dec 21, 2018
edited
Loading

@micheldaoud

https://developers.google.com/identity/sign-in/web/sign-in

Interesting. Adding a script to our site in our combined login page is so not going to happen nor is an iframed version of it. This seems like a replica of Mozilla Persona atm to me.

@MarshallOfSound

#51

Appreciate that research and effort. I'm really leery of doing any more changes to google auths on our site right now. I'd actually be happy with deprecating it completely on our site but I'm not at liberty to do that just yet. So if this package can pick up the endpoint needed we'll update our dependencies with that. Otherwise I won't know until the deadline happens on how it affects us. Too many other fires in the kitchen to deal with atm too.

@G-T-P
Copy link

G-T-P commented Dec 21, 2018

I've done the heavy googling work for ya 😄 This module already supports using a non-googlePlus strategy for getting profile information.

Check out the docs I added in this PR

#51

Thank you very much for this PR. I just implemented the few lines that it requires and it worked completely. I could disable the Google + Api in my Google dev console and everything runs smoothly.

@eponymz eponymz mentioned this issue Dec 27, 2018
Closed
@tiblu tiblu mentioned this issue Jan 7, 2019
Closed
@akasai
Copy link

akasai commented Jan 25, 2019

Hi there.
I think I can solve this problem by using five callback argument and the userProfileURL option of GoogleSt Strategy.

Google now recommends requesting an ID token and sending that ID token from your client to your server. ID tokens have cross site forgery protections built-in and also can be statically verified on your server, thus avoiding an extra API call to get user profile information from Google’s servers. Follow the instructions for validating ID tokens on your server.
If you would still prefer to use the code flow to obtain profile information, you may do so. Once your server has an access token, you will need to obtain user profile information from the userinfoendpoints specified in our Sign In Discovery document. The API response will be formatted differently than the Google+ profile response, so you will need to update your parsing to the new format.

https://developers.google.com/identity/sign-in/web/quick-migration-guide

Look at the above sentence.
Google recommends requesting an ID token. And Passport-oauth2 is support parameter that shows all information after request. So I could check ID_token and request token validation URL(https://oauth2.googleapis.com/tokeninfo) to validate ID_token. (reference)

In addition, It can check user information using options such as userProfileURL(string) and skipUserProfile(boolean).

I think it'll be able to respond to Google+ with these features.

What do you think about this opinion?

@akasai akasai mentioned this issue Jan 25, 2019
Closed
5 tasks
@leomp12 leomp12 mentioned this issue Jan 30, 2019
Closed
@thesephist thesephist mentioned this issue Feb 2, 2019
Closed
@paulywill paulywill mentioned this issue Feb 15, 2019
Closed
@cbettinger
Copy link

Will there be a new release before March 7, 2019?

@MathRobin
Copy link

Hi, shutdown will be in 3 days, any update ? Thanks in advance !

@yahharo
Copy link

yahharo commented Mar 5, 2019

As you can see from this code, if you set up options.userProfileURL, this module will not access the Google+ API.
https://github.com/jaredhanson/passport-google-oauth2/blob/v1.0.0/lib/strategy.js#L54

So, as written in #51, I think that you should add userProfileURL like below:

new GoogleStrategy({
  clientID: GOOGLE_CLIENT_ID,
  clientSecret: GOOGLE_CLIENT_SECRET,
  callbackURL: "http://www.example.com/auth/google/callback",
  // This option tells the strategy to use the userinfo endpoint instead
  userProfileURL: "https://www.googleapis.com/oauth2/v3/userinfo",
}

@jakubgs jakubgs mentioned this issue Mar 5, 2019
Closed
@cbettinger
Copy link

Since calls to the old Google+ API started to intermittently fail in January, I already have applied the aforementioned solution to my project and released a new version. Nevertheless I am interested in the question when a new release of passport-google-oauth2 will be published.

@skdelphix
Copy link

skdelphix commented Mar 5, 2019
edited
Loading

As you can see from this code, if you set up options.userProfileURL, this module will not access the Google+ API.
https://github.com/jaredhanson/passport-google-oauth2/blob/v1.0.0/lib/strategy.js#L54

So, as written in #51, I think that you should add userProfileURL like below:

new GoogleStrategy({
  clientID: GOOGLE_CLIENT_ID,
  clientSecret: GOOGLE_CLIENT_SECRET,
  callbackURL: "http://www.example.com/auth/google/callback",
  // This option tells the strategy to use the userinfo endpoint instead
  userProfileURL: "https://www.googleapis.com/oauth2/v3/userinfo",
}

If you make this change, are you then able to disable the API in the Google dashboard without any issues? Is there some Google-side component to configure as a replacement?

I set the userProfileURL as suggested but still see my API usage for Google+ API going up whenever a login occurs on my app.

@springuper springuper mentioned this issue Mar 6, 2019
Closed
@yahharo
Copy link

yahharo commented Mar 6, 2019

@skdelphix

If you make this change, are you then able to disable the API in the Google dashboard without any issues? Is there some Google-side component to configure as a replacement?

At least, in our environment using this module, even if you disable Google+ API, it works fine. 😉

@skdelphix
Copy link

@skdelphix

If you make this change, are you then able to disable the API in the Google dashboard without any issues? Is there some Google-side component to configure as a replacement?

At least, in our environment using this module, even if you disable Google+ API, it works fine. 😉

Well there's the problem, I was on version 0.2.0. Updated to 1.0.0 and disabled the API, everything is great now.

@jaredhanson
Copy link
Owner

[email protected] has been published to npm. More information here: https://medium.com/passportjs/google-api-shutdown-330c3b47e3df

@guna-yes
Copy link

guna-yes commented Mar 30, 2020
edited
Loading

use userProfileURL: "https://www.googleapis.com/oauth2/v3/userinfo" in your strategy.This will remove google+ authentication and it goes into another endpoint "userinfo".

@Harshit2929
Copy link

using userProfileURL: "https://www.googleapis.com/oauth2/v3/userinfo" in strategy works well now also.This will remove google+ authentication and it goes into another endpoint "userinfo".

@sujin-sam
Copy link

pls add the solution to the README and to this doc http://www.passportjs.org/packages/passport-google-oauth20/

@aztuhin
Copy link

aztuhin commented Jul 7, 2023

Is it solve this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests