I received an email this morning from Google mentioning a project I have that is using some Google+ OAuth APIs that are deprecated and will be fully shut down on March 7. Some API calls will start to intermittently fail as of yesterday and OAuth requests for Google+ scopes will start to intermittently fail as early as February 15. As such, this is quite urgent.
In the project mentioned in the email, I do not use OAuth with anything else other than through Auth0. As such, it must be coming from somewhere internally in Auth0’s code. The specific endpoint it mentioned is the plus.me endpoint (found here). It appears that this deprecation has been leading to changes in other auth libraries such as Passport (see GitHub issues here and here) and the issue could be quite simply changing from one API endpoint to another. I assume the reason for accessing this endpoint is because of the required nature of the basic and extended profiles when setting up a Google connection of any kind in Auth0 (either Social or Enterprise)
Are there plans to fix this before the full shutdown of the Google+ APIs on March 7?
For what it’s worth, I’ve received a second email from Google with the following:
Dear Developer,
Earlier this week we sent you an email related to your projects that will be impacted by the Google+ API shutdown, which also affects requests for Google+ OAuth scopes.
The email listed that one or more of your projects are requesting the “plus.me” scope, and would thus be affected. We would like to clarify that only projects directly requesting the “plus.me” scope are affected . This scope may have been listed in some emails, even if not directly requested by your project. We apologize for any confusion caused.
If you are directly requesting the “plus.me” scope, any other Google+ OAuth scopes, or making any Google+ API calls, please ensure that you remove these requests from your project before March 7, 2019 .
To see if your project is directly requesting the “plus.me” or any other Google+ OAuth scopes:
If your project is written in Google Apps Script, you can view which scopes your project is requesting by reviewing your project properties in App Script Editor.
If your project is not written in Google Apps Script, please check your code for references to “plus.me” in OAuth scope requests. We recommend that you review projects using any 3rd-party libraries that support sign-in or social functionality, as these may also be affected by the shutdown.
Thanks for being a valued Google+ Developer.
Sincerely,
The Google+ API team
Considering we don’t have any Google Apps Script applications and we don’t have any references to plus.me anywhere in our code, this reaffirms that there must be something somewhere in Auth0 that references it. Hopefully you get some good news from the team.
From January 28th, 2019, and until the final decommission date, Google will introduce intermittent errors in calls performed to their APIs when this scope is used. These errors are outside of Auth0’s control and may result in users failing to log in using the Google Social Connection. To prevent this from happening, you must manually disable the “Google+” permission in the Google Social Connection settings of the Auth0 Dashboard for all tenants. Alternatively, you may perform this step through the Auth0 Management API by removing the “google_plus” scope from all connections.
Note that disabling this scope will not change the user profile response from the API. It will, however, limit the scope of actions you can perform with the access token on Google APIs.
We will keep this scope available until the final decommission date to give our users enough time to adapt their backend services to the changes introduced by Google.
If you have not updated your Google Social Connection settings to remove this scope by March 7th, 2019, we will automatically remove it from all your existing connections.
@konrad.sopala thanks for the reply. I do see the option to uncheck Google+ in the permissions section when using the Google Social Connection, but we’re using the Google Apps connection under Enterprise. Here’s what I see:
As you can see, there is no Google+ option like that on the Social Connection. The options we have checked for Groups and Enable Users API don’t seem like ones that would use plus.me behind the scenes, so I’m not sure what here would be causing usage of plus.me.
Sorry I was out of the office. Unfortunately nothing new yet. I pinged them just now so either I’ll update you on the status as soon as I get any more info or someone from our product team will reach out directly!
We are not using https://www.googleapis.com/auth/plus.me scope or calling that API from our code when using enterprise connections. We are not using that passport strategy FWIW.
Are you seeing that scope being requested as part of the calls to the Google authorization endpoint? If you do, can you share your tenant name so we can take a look at it and see if we find something special?
Pardon my ignorance, but where would I be able to see those calls to the Google authorization endpoint? If the location would be in Google’s developer console, then no, I do not see that scope being requested. The only Google APIs we have enabled are either for location-related services or the Admin SDK and the Admin SDK only has calls to directory.groups.list.
I can DM you our tenant name if you’d like to look and see if there is indeed something special happening, but given the information you and @konrad.sopala have given me, it would appear that we will be safe after Google shuts down the Google+ APIs since we use the Google Apps enterprise connection.