Steps to minimize the impact of scope changes on users
- If your application requires the email address of an authenticated user, and you've previously used
profile.emails.readfor that purpose, useemailinstead. - Obtain approval for
profile.emails.readwith an approved verification request. Refer to How do I submit for verification? - Revoke the prior user token to the scope that's to be removed or remove access to the application entirely. For example, a token with
profile.emails.readaccess should be revoked. We recommend you apply the revocation while your users are in your application so that you can get user consent immediately. - Prompt your users to re-consent with the new scope, such as
email, withoutprofile.emails.read. - Remove the scope that's to be phased out of your Google APIs OAuth consent screen configuration.
The changes you must make to migrate your site from Google+ Sign-In to Google Sign-In depend on which Google+ Sign-In flow you use. Generally, the migration requires you to update your sign-in button, requested scopes, and instructions on how to retrieve profile information from Google.
When you update your sign-in button, do not refer to G+ or use the color red. Conform to our updated branding guidelines.
Most G+ Sign-In applications requested some combination of the scopes:
plus.login, plus.me and plus.profile.emails.read. You need to remap
your scopes as follows:
| Old scope | New scope |
|---|---|
plus.login |
profile |
plus.me |
openid |
plus.profile.emails.read |
email |
Many implementers of Google+ Sign-In used the
code flow. This means
that the Android, iOS, or JavaScript apps obtain an OAuth code from Google, and
the client sends that code back to the server, along with cross-site request
forgery protection. The server then validates the code and obtains refresh and
access tokens to pull user profile information from the people.get API.
Google now recommends that you request an ID token and send that ID token from your client to your server. ID tokens have cross-site forgery protections built-in and also can be statically verified on your server, which avoids an extra API call to get user profile information from Google’s servers. Follow the instructions to validate ID tokens on your server.
If you still prefer to use the code flow to obtain profile information,
you may do so. Once your server has an access token, you need to
obtain user profile information
from the userinfo endpoints specified in our Sign-In
Discovery document. The API
response is formatted differently than the Google+ profile response, so you
need to update your parsing to the new format.
Migrate an HTML sign-in button
If you included a Google+ Sign-In button in your page by assignment of the class
g-signin to an element, make the following changes:
When you specify your client ID, either in a
<meta>tag, adata-attribute, or a parameters object, change the stringclientidtoclient_id, as in the following example:<!-- Google+ Sign-in (old) --> <meta name="google-signin-clientid" content="YOUR_CLIENT_ID"><!-- Google Sign-in (new) --> <meta name="google-signin-client_id" content="YOUR_CLIENT_ID">Assign the class
g-signin2to the sign-in button element instead ofg-signin. Also, specify separate success and failure callbacks instead of a single callback, as in the following example:<!-- Google+ Sign-in (old) --> <div class="g-signin" data-callback="signinCallback"> </div><!-- Google Sign-in (new) --> <div class="g-signin2" data-onsuccess="onSignIn" data-onfailure="onSignInFailure"> </div>Instead of a single callback handler, define success and failure handlers, as in the following example:
// Google+ Sign-in (old) function signinCallback(authResult) { if (authResult['status']['signed_in']) { // Handle successful sign-in } else { // Handle sign-in errors console.log('Sign-in error: ' + authResult['error']); } }// Google Sign-in (new) function onSignIn(googleUser) { // Handle successful sign-in } function onSignInFailure() { // Handle sign-in errors }These changes update your default scopes to
profile email openid. You can get the user’s basic profile information, like name, email, and photo image URL, as follows:// Google Sign-in (new) function onSignIn(googleUser) { let profile = googleUser.getBasicProfile(); let fullName = profile.getName(); let email = profile.getEmail(); let imageUrl = profile.getImageUrl(); }
Migrate a dynamically-rendered sign-in button
If you included a Google+ Sign-In button in your page by calling
gapi.signin.render(), make the following changes:
When you specify your client ID, either in a
<meta>tag, adata-attribute, or a parameters object, change the stringclientidtoclient_id, as in the following example:<!-- Google+ Sign-in (old) --> <meta name="google-signin-clientid" content="YOUR_CLIENT_ID"><!-- Google Sign-in (new) --> <meta name="google-signin-client_id" content="YOUR_CLIENT_ID">Render the sign-in button with
gapi.signin2.render()rather thangapi.signin.render(), as in the following example:// Google+ Sign-in (old) gapi.signin.render('myButton', additionalParams);// Google Sign-in (new) gapi.signin2.render('myButton', additionalParams);Instead of a single callback handler, define success and failure handlers, as in the following example:
// Google+ Sign-in (old) function signinCallback(authResult) { if (authResult['status']['signed_in']) { // Handle successful sign-in } else { // Handle sign-in errors console.log('Sign-in error: ' + authResult['error']); } }// Google Sign-in (new) function onSignIn(googleUser) { // Handle successful sign-in } function onSignInFailure() { // Handle sign-in errors }
These changes update your default scopes to profile email openid. You can
get the user’s basic profile information with the getBasicProfile() method.
Migrate a JavaScript-initiated sign-in flow
If you initiated the sign-in flow with a call to gapi.auth.signIn() when users
click the sign-in button, make the following changes:
When you specify your client ID, either in a
<meta>tag, adata-attribute, or a parameters object, change the stringclientidtoclient_id, as in the followingr example:<!-- Google+ Sign-in (old) --> <meta name="google-signin-clientid" content="YOUR_CLIENT_ID"><!-- Google Sign-in (new) --> <meta name="google-signin-client_id" content="YOUR_CLIENT_ID">Use
gapi.auth2.attachClickHandler()to start the sign-in flow when a button is pressed, as in the following example:// Google+ Sign-in (old) var signinButton = document.getElementById('signinButton'); signinButton.addEventListener('click', function() { gapi.auth.signIn(additionalParams); });// Google Sign-in (new) auth2 = gapi.auth2.init(); auth2.attachClickHandler('signinButton', additionalParams, onSignIn, onSignInFailure);Instead of a single callback handler, define success and failure handlers, as in the following example:
// Google+ Sign-in (old) function signinCallback(authResult) { if (authResult['status']['signed_in']) { // Handle successful sign-in } else { // Handle sign-in errors console.log('Sign-in error: ' + authResult['error']); } }// Google Sign-in (new) function onSignIn(googleUser) { // Handle successful sign-in } function onSignInFailure() { // Handle sign-in errors }
These changes update your default scopes to profile email openid. You can
get the user’s basic profile information by a call to the getBasicProfile()
method.
Migrate a hybrid server-side flow
If you used the JavaScript API to acquire a one-time authorization code for you to pass to your server, make the following changes:
Change the scope from
https://www.googleapis.com/auth/plus.logintoprofile.Use the
gapi.auth2.grantOfflineAccess()method with your existing callback function, as in the following example:<!-- Google+ Sign-in (old) --> <div class="g-signin" data-scope="https://www.googleapis.com/auth/plus.login" data-clientid="YOUR_CLIENT_ID" data-redirecturi="postmessage" data-accesstype="offline" data-callback="signInCallback"> </div>// Google Sign-in (new) auth2 = gapi.auth2.init({ client_id: 'YOUR_CLIENT_ID', scope: 'profile' }); ... auth2.grantOfflineAccess().then(signInCallback);
If you also need access to the user’s email, add email to the scope parameter.