Meanwhile on Google Plus...

Google Plus is shutting down – fix your .NET OAuth flow!

This post was most recently updated on July 26th, 2024.

5 min read.

Google is shutting down their Facebook killer, Google+. While I’m sure there are at least 10 end-users that are sad to see the ill-fated not-that-social-medium go, the implications for Software Developers actually could be far more far-reaching.

A lot of implementations of Google’s OAuth seem to rely on Google Plus’s APIs to get gather information about the user. When Google Plus goes down, so will the APIs. Their apparently unsafe implementation seems to be a major reason Google’s hastening the shutdown anyway.

This means that OAuth implementations relying on any Google Plus APIs will start failing starting 14.2.2019, and stop working completely on 7.3.2019.

While this has been known for a while, it took Google some time to inform the developers about this. Eventually, they did send out a notification about the change as well:

Email from Google: [Action Required] Google+ APIs and OAuth requests are being shutdown on March 7, 2019
Email from Google: [Action Required] Google+ APIs and OAuth requests are being shut down on March 7, 2019

And the contents are quite worrisome:

Email from Google: Google+ APIs and OAuth requests after March 7, 2019 will fail. Helpfully, there's a list of requested scopes and APIs I'm using.
Email from Google: Google+ APIs and OAuth requests after March 7 2019, will fail. Helpfully, there’s a list of requested scopes and APIs I’m using.

So the APIs will be gone, what’s next?

(Pro tip: If you’re not interested in my ramblings about Google Plus, just click this to go straight to code!)

Background

I actually first heard about this in late 2018, when I ran into an issue whilst building a custom OAuth authentication middleware. I got this, very non-descriptive error, and that got me googling:

Error loading external login information

The error came up after a configuration mistake I made, and fixed. But when googling, I stumbled upon a related, but FAR scarier issue! A lot of OAuth implementations are going to go down in flames in a couple of months.

.NET Core web app using OAuth 2.0: "Error loading external login information."
.NET Core web app using OAuth 2.0: “Error loading external login information.”

Google is retiring their apparently unsafe APIs for Google+, and this includes the API used for OAuth authentication. This is, for example, the API Microsoft’s implementation for Google authentication on ASP.NET Framework and ASP.NET Core currently uses.

Since Google launched Google Plus, they started pushing their users towards the platform fairly aggressively. Everyone would be automatically provisioned a profile if they used Gmail, Google Photos, Google Drive or Blogger. This inflated the number of user accounts on Google+ greatly and quite quickly. Of course, most of these accounts never posted anything on the platform.

Google+ experienced massive growth during the first few weeks due to Google's policy of forcibly creating new profiles for everyone. Image source: https://searchengineland.com/behind-the-numbers-of-googles-monumental-rise-to-25-million-unique-visitor-88076
Google+ experienced massive growth during the first few weeks due to Google’s policy of forcibly creating new profiles for everyone. Image source: Searchengineland.

This means, that despite the platform not having that many active users, it still offered access to vast troves of personal information. Even an inactive account has profile information (thanks to Google’s multiple web properties and their partially shared user account information), so scraping, or worse yet, programmatically extracting all the info from these profiles provided the attackers with a lot of valuable information.

Solution: use other APIs for authentication and user info

Okay – how to avoid your authentication flow from breaking when Google starts shutting down Google Plus? From what I’m seeing, there are a couple of steps you need to take no matter if you’ve implemented your authentication flow yourself, or if you’re using a middleware such as Owin for your authentication needs.

But first things first – update your dependencies!

Time needed: 20 minutes

Nuget updates for your Google authentication needs

  1. Are you using nuget packages or similar external libraries to handle authentication for your web app? If so, make sure to update your dependencies!


    Packages like Microsoft.Owin.Security.Google in .NET Framework or the built-in Google authentication provider in your .NET Core project is implementing workarounds or fixes at least for the user info APIs. Might be a bit tight for the deadline, though!

    For an ASP.NET Core project, if you’re already using at least 2.1, the changes to scopes and Claims I’m showing below should be enough.

    For .NET Framework project using Microsoft.Owin.Security.Google, you’ll need to update it to version 4.0.1. Check this page out for the version history: https://www.nuget.org/packages/Microsoft.Owin.Security.Google/

  2. Scope changes


    Even if you’re using middleware, you might be requesting different scopes for your application.
    According to Google’s documentation, you need to get rid of these scopes:

    plus.login
    plus.me
    plus.profile.emails.read

    The scopes below should be enough to authenticate and despite the name of plus.login, apparently they’re not affected by the shutdown. After disabling the API, it at least still works… :)

    services.AddAuthentication().AddGoogle(options =>
    {
       options.Scope.Add("openid");
       options.Scope.Add("profile");
       options.Scope.Add("email");
     
       // Rest of the implementation omitted
    }

  3. Code changes


    I’m using ASP.NET Core’s built-in libraries for my Google authentication. Chances are, that’s what you do as well. You’ll need to keep your ASP.NET Core them up-to-date if you want to avoid this issue – at the time of writing this, the team is developing a fix for this issue, so updating to the next version (published sometime during February) should do the trick for you!

    More info about this on Microsoft’s site: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins?view=aspnetcore-2.2

    Before that, what changes do you need to do to make it work? Luckily, there’s a GitHub issue with useful comments about the case – see what works for my project below:

    services.AddAuthentication().AddGoogle(options =>
    {
       // Fixes Google OAuth2 when plus dies, check this out: https://github.com/aspnet/AspNetCore/issues/6069#issuecomment-449461197
       options.UserInformationEndpoint = "https://www.googleapis.com/oauth2/v2/userinfo";
       options.ClaimActions.Clear();
       options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "id");
       options.ClaimActions.MapJsonKey(ClaimTypes.Name, "name");
       options.ClaimActions.MapJsonKey(ClaimTypes.GivenName, "given_name");
       options.ClaimActions.MapJsonKey(ClaimTypes.Surname, "family_name");
       options.ClaimActions.MapJsonKey("urn:google:profile", "link");
       options.ClaimActions.MapJsonKey(ClaimTypes.Email, "email");
       options.ClaimActions.MapJsonKey("urn:google:image", "picture");
     
       // Rest of the implementation omitted
    }


    If you’ve developed your OAuth authentication middleware yourself, you’ll need to stop using the APIs that Google is shutting down.

    Additionally, even if you’re using middleware developed by someone else, you might be using the API for something. It’s a good idea to transition out of that ASAP – probably the easiest way to do that is to remove the scopes from your authorization request, and see if something breaks :) As usual, please do this in a test environment before production…

Postface

This issue will probably concern other technologies than ASP.NET Framework and ASP.NET Core projects as well, but of course, those are my main concerns. That’s why the code examples are for them :)

Hopefully, if you’re relying on Google Plus APIs while using Google’s OAuth in your Java or PHP projects, you might still get a basic idea of what to do by reading this post!

Also, if you want to test if your code changes had the desired effect, you can disable the Google+ API already yourself. If everything goes as it should, you shouldn’t have to do anything about the user accounts already in the database with this method.

How to disable the Google Plus API from your project?

The API that’s being deprecated is called Google+ API. Plain and simple!

This is the URL you’ll need to browse to. Just log in and choose your project: https://console.developers.google.com/apis/library/plus.googleapis.com?q=plus

Google+ API on Google's Developer console. This one is going away on 7.3.2019.
Google+ API on Google’s Developer console. This one is going away on 7.3.2019.

Go ahead and hit “Disable” on that guy, if it’s enabled for your project. It’ll happen eventually anyway, so you can just start suffering already.

mm
5 1 vote
Article Rating
Subscribe
Notify of
guest

0 Comments
most voted
newest oldest
Inline Feedbacks
View all comments