Google+ OAuth API Deprecation

I received an email this morning from Google mentioning a project I have that is using some Google+ OAuth APIs that are deprecated and will be fully shut down on March 7. Some API calls will start to intermittently fail as of yesterday and OAuth requests for Google+ scopes will start to intermittently fail as early as February 15. As such, this is quite urgent.

In the project mentioned in the email, I do not use OAuth with anything else other than through Auth0. As such, it must be coming from somewhere internally in Auth0’s code. The specific endpoint it mentioned is the plus.me endpoint (found here). It appears that this deprecation has been leading to changes in other auth libraries such as Passport (see GitHub issues here and here) and the issue could be quite simply changing from one API endpoint to another. I assume the reason for accessing this endpoint is because of the required nature of the basic and extended profiles when setting up a Google connection of any kind in Auth0 (either Social or Enterprise)

Are there plans to fix this before the full shutdown of the Google+ APIs on March 7?

@konrad.sopala I saw you commenting on a somewhat similar ticket (LinkedIn connection deprecated?), so hopefully you might be able to help with this as well.

Hey @sporkbytesalex !

Thanks a lot for tagging me. I just reached out to appropriate team about that! Will get back to you with any news they have!

1 Like

Awesome, thanks so much!

1 Like

For what it’s worth, I’ve received a second email from Google with the following:

Dear Developer,

Earlier this week we sent you an email related to your projects that will be impacted by the Google+ API shutdown, which also affects requests for Google+ OAuth scopes.

The email listed that one or more of your projects are requesting the “plus.me” scope, and would thus be affected. We would like to clarify that only projects directly requesting the “plus.me” scope are affected . This scope may have been listed in some emails, even if not directly requested by your project. We apologize for any confusion caused.

If you are directly requesting the “plus.me” scope, any other Google+ OAuth scopes, or making any Google+ API calls, please ensure that you remove these requests from your project before March 7, 2019 .

To see if your project is directly requesting the “plus.me” or any other Google+ OAuth scopes:

  • If your project is written in Google Apps Script, you can view which scopes your project is requesting by reviewing your project properties in App Script Editor.
  • If your project is not written in Google Apps Script, please check your code for references to “plus.me” in OAuth scope requests. We recommend that you review projects using any 3rd-party libraries that support sign-in or social functionality, as these may also be affected by the shutdown.

Thanks for being a valued Google+ Developer.

Sincerely,
The Google+ API team

Considering we don’t have any Google Apps Script applications and we don’t have any references to plus.me anywhere in our code, this reaffirms that there must be something somewhere in Auth0 that references it. Hopefully you get some good news from the team.

Hey @sporkbytesalex!

I managed to get following news from our engineering team.

On December 10th, Google decided to accelerate the shutdown of their Google+ service to April 2019. Google has set the following dates for the final decommission of Google+ APIs and related elements:

  • Final shutdown: March 7th, 2019
  • Intermittent errors: from January 28th, 2019 until the shutdown date

Auth0’s Google Social Connection supports the “https://www.googleapis.com/auth/plus.me” scope (labeled “Google+” in the Auth0 Dashboard and “google_plus” in the Auth0 Management API). This scope is part of the elements that will be removed from Google APIs after the final decommission date.

From January 28th, 2019, and until the final decommission date, Google will introduce intermittent errors in calls performed to their APIs when this scope is used. These errors are outside of Auth0’s control and may result in users failing to log in using the Google Social Connection. To prevent this from happening, you must manually disable the “Google+” permission in the Google Social Connection settings of the Auth0 Dashboard for all tenants. Alternatively, you may perform this step through the Auth0 Management API by removing the “google_plus” scope from all connections.

Note that disabling this scope will not change the user profile response from the API. It will, however, limit the scope of actions you can perform with the access token on Google APIs.

We will keep this scope available until the final decommission date to give our users enough time to adapt their backend services to the changes introduced by Google.

If you have not updated your Google Social Connection settings to remove this scope by March 7th, 2019, we will automatically remove it from all your existing connections.

@konrad.sopala thanks for the reply. I do see the option to uncheck Google+ in the permissions section when using the Google Social Connection, but we’re using the Google Apps connection under Enterprise. Here’s what I see:

As you can see, there is no Google+ option like that on the Social Connection. The options we have checked for Groups and Enable Users API don’t seem like ones that would use plus.me behind the scenes, so I’m not sure what here would be causing usage of plus.me.

Let me clarify it with the product team as I’m not aware of all the changes going on there

1 Like

@konrad.sopala have you heard any updates from the product team?

Hey @sporkbytesalex!

Sorry I was out of the office. Unfortunately nothing new yet. I pinged them just now so either I’ll update you on the status as soon as I get any more info or someone from our product team will reach out directly!

Hi @sporkbytesalex

We are not using https://www.googleapis.com/auth/plus.me scope or calling that API from our code when using enterprise connections. We are not using that passport strategy FWIW.

Are you seeing that scope being requested as part of the calls to the Google authorization endpoint? If you do, can you share your tenant name so we can take a look at it and see if we find something special?

Thanks

Andres

Please send us your tenant name via DM so as not to share it publicly.

Thanks!

Hi @andres.aguiar,

Pardon my ignorance, but where would I be able to see those calls to the Google authorization endpoint? If the location would be in Google’s developer console, then no, I do not see that scope being requested. The only Google APIs we have enabled are either for location-related services or the Admin SDK and the Admin SDK only has calls to directory.groups.list.

I can DM you our tenant name if you’d like to look and see if there is indeed something special happening, but given the information you and @konrad.sopala have given me, it would appear that we will be safe after Google shuts down the Google+ APIs since we use the Google Apps enterprise connection.

Thanks for all of your help.
Alex

If the scope is used, it should be part of the URL that you get redirected to when logging-in to google apps, e.g.

https://accounts.google.com/o/oauth2/auth?hd=auth0.com&response_type=code&redirect_uri=https%3A%2F%2Fauth0corp.auth0.com%2Flogin%2Fcallback&**scope=email%20profile**&state=LWl7nw346J6LgkqeZB29&client_id=104565000066-suuvmcknfae3len0nd.apps.googleusercontent.com

You should be able to see that as part in the network traffic log in your browser.

@andres.aguiar scope=email%20profile is what we have for the scope query string param in the URL.

You are fine then :slight_smile:

1 Like

Thanks a lot everyone for getting it clear finally :slight_smile: @sporkbytesalex if you have any further questions do not hesitate to reach back to us!

1 Like

Awesome, thanks so much for your help @andres.aguiar and @konrad.sopala!

No worries, we’re here for you!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.