Steps to minimize the impact of scope changes on users
- If your application requires the email address of an authenticated user, and you've previously used
profile.emails.read
for that purpose, useemail
instead. - Obtain approval for
profile.emails.read
with an approved verification request. Refer to How do I submit for verification? - Revoke the prior user token to the scope that's to be removed or remove access to the application entirely. For example, a token with
profile.emails.read
access should be revoked. We recommend you apply the revocation while your users are in your application so that you can get user consent immediately. - Prompt your users to re-consent with the new scope, such as
email
, withoutprofile.emails.read
. - Remove the scope that's to be phased out of your Google APIs OAuth consent screen configuration.
To migrate your app from Google+ Sign-In to Google Sign-In, you need to update your sign-in button, requested scopes, and instructions on how to retrieve profile information from Google. Follow our Google Sign In for Android documentation for full instructions.
When you update your sign-in button, do not refer to G+ or use the color red. Conform to our updated branding guidelines.
Most Google+ Sign-In applications requested some combination of the scopes:
plus.login
, plus.me
and plus.profile.emails.read
. By using
GoogleSignInOptions.Builder
with the DEFAULT_SIGN_IN
option, you will
automatically request the profile
scope which provides the user’s name and
profile picture. If you also want the user’s email address, you should call
.requestEmail()
when constructing Google sign-in options.
Many implementers of Google+ Sign-In used the
code flow. This means
that the Android, iOS or JavaScript apps obtain an OAuth authorization code from
Google, and the client sends that code back to the server, along with cross-site
request forgery protection. The server then validates the code and obtains
refresh and access tokens to pull user profile information from the people.get
API.
Google now recommends that you request an ID token and send the ID token from your client to your server. ID tokens have cross-site forgery protections built-in and also can be statically verified on your server, which avoids an extra API call to get user profile information from Google’s servers. Follow the instructions to validate ID tokens on your server.
If you still prefer to use the code flow to obtain profile information,
you may do so. Once your server has an access token, you need to
obtain user profile information
from the userinfo
endpoints specified in our Sign-In
Discovery document. The
API response is formatted differently than the Google+ profile response, so you
need to update your parsing to the new format.
If you are using GoogleAuthUtil.getToken
or Plus.API
, you should
migrate
to the newest Sign-In API for greater security and a better user experience.