Meanwhile on Google Plus...

Google Plus is shutting down – fix your .NET OAuth flow!

Google is shutting down their Facebook killer, Google+. While I’m sure there’s at least 10 end users that are sad to see the ill-fated not-that-social-medium go, the implications for Software Developers actually could be far more far-reaching.

A lot of implementations of Google’s OAuth seem to rely on Google Plus’s APIs to get gather information about the user. When Google Plus goes down, so will the APIs. Their apparently unsafe implementation seems to be a major reason Google’s hastening the shutdown anyway.

This means that OAuth implementations relying on any Google Plus APIs will start failing starting 14.2.2019, and stop working completely on 7.3.2019.

While this has been known for a while, it took Google some time to inform the developers about this. Eventually they did send out a notification about the change as well:

Email from Google: [Action Required] Google+ APIs and OAuth requests are being shutdown on March 7, 2019
Email from Google: [Action Required] Google+ APIs and OAuth requests are being shutdown on March 7, 2019

And the contents are quite worrisome:

Email from Google: Google+ APIs and OAuth requests after March 7, 2019 will fail. Helpfully, there's a list of requested scopes and APIs I'm using.
Email from Google: Google+ APIs and OAuth requests after March 7, 2019 will fail. Helpfully, there’s a list of requested scopes and APIs I’m using.

So the APIs will be gone, what’s next?

(Pro tip: If you’re not interested in my ramblings about Google Plus, just click this to go straight to code!)

Background

I actually first heard about this late 2018, when I ran into an issue lately while building a custom OAuth authentication middleware. I got this, very non-descriptive error, and that got me googling:

Error loading external login information

The error came up after a configuration mistake I made, and fixed. But when googling, I stumbled upon a related, but FAR scarier issue! A lot of OAuth implementations are going to go down in flames in a couple of months.

.NET Core web app using OAuth 2.0: "Error loading external login information."
.NET Core web app using OAuth 2.0: “Error loading external login information.”

Google is retiring their apparently unsafe APIs for Google+, and this includes the API used for OAuth authentication. This is, for example, the API Microsoft’s implementation for Google authentication on ASP.NET Framework and ASP.NET Core currently uses.

Since Google launched Google Plus, they started pushing their users towards the platform fairly aggressively. Everyone would be automatically provisioned a profile if they used Gmail, Google photos, Google Drive or Blogger. This inflated the number of user accounts on Google+ greatly and quite quickly. Of course most of these accounts never posted anything on the platform.

Google+ experienced massive growth during the first few weeks due to Google's policy of forcibly creating new profiles for everyone. Image source: https://searchengineland.com/behind-the-numbers-of-googles-monumental-rise-to-25-million-unique-visitor-88076
Google+ experienced massive growth during the first few weeks due to Google’s policy of forcibly creating new profiles for everyone. Image source: Searchengineland.

This means, that despite the platform not having that many active users, it still offered access to vast troves of personal information. Even an inactive account has profile information (thanks to Google’s multiple web properties and their partially shared user account information), so scraping, or worse yet, programmatically extracting all the info from these profiles provided the attackers a lot of valuable information.

Solution: use other APIs for authentication and userinfo

Okay – how to avoid your authentication flow from breaking when Google starts shutting down Google Plus? From what I’m seeing, there’s a couple of steps you need to take no matter if you’ve implemented your authentication flow yourself, or if you’re using a middleware such as Owin for your authentication needs.

But first things first – update your dependencies!

Nuget updates for your Google authentication needs

Are you using nuget packages or similar external libraries to handle authentication for your web app? If so, make sure to update your dependencies!

Packages like Microsoft.Owin.Security.Google in .NET Framework or the built-in Google authentication provider in your .NET Core project are implementing workarounds or fixes at least for the userinfo APIs. Might be a bit tight for the deadline, though!

For an ASP.NET Core project, if you’re already using at least 2.1, the changes to scopes and Claims I’m showing below, should be enough.

For .NET Framework project using Microsoft.Owin.Security.Google, you’ll need to update it to version 4.0.1. Check this page out for the version history: https://www.nuget.org/packages/Microsoft.Owin.Security.Google/

Scope changes

Even if you’re using middleware, you might be requesting different scopes for your application.

According to Google’s documentation, you need to get rid of these scopes:

  • plus.login
  • plus.me
  • plus.profile.emails.read

The scopes below should be enough to authenticate, and despite the name of plus.login, apparently they’re not affected by the shutdown. After disabling the API, it at least still works… :)

services.AddAuthentication().AddGoogle(options =>
{
   options.Scope.Add("openid");
   options.Scope.Add("profile");
   options.Scope.Add("email");
 
   // Rest of the implementation omitted
}

Code changes

I’m using ASP.NET Core’s built-in libraries for my Google authentication. Chances are, that’s what you do as well. You’ll need to keep your ASP.NET Core them up-to-date, if you want to avoid this issue – at the time of writing this, the team is developing a fix for this issue, so updating to the next version (published some time during February) should do the trick for you!

More info about this on Microsoft’s site: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins?view=aspnetcore-2.2

Before that, what changes do you need to do to make it working? Luckily, there’s a GitHub issue with useful comments about the case – see what works for my project below:

services.AddAuthentication().AddGoogle(options =>
{
   // Fixes Google OAuth2 when plus dies, check this out: https://github.com/aspnet/AspNetCore/issues/6069#issuecomment-449461197
   options.UserInformationEndpoint = "https://www.googleapis.com/oauth2/v2/userinfo";
   options.ClaimActions.Clear();
   options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "id");
   options.ClaimActions.MapJsonKey(ClaimTypes.Name, "name");
   options.ClaimActions.MapJsonKey(ClaimTypes.GivenName, "given_name");
   options.ClaimActions.MapJsonKey(ClaimTypes.Surname, "family_name");
   options.ClaimActions.MapJsonKey("urn:google:profile", "link");
   options.ClaimActions.MapJsonKey(ClaimTypes.Email, "email");
   options.ClaimActions.MapJsonKey("urn:google:image", "picture");
 
   // Rest of the implementation omitted
}

If you’ve developed your OAuth authentication middleware yourself, you’ll need to stop using the APIs that Google is shutting down.

Additionally, even if you’re using a middleware developed by someone else, you might be using the API for something. It’s a good idea to transition out of that ASAP – probably the easiest way to do that, is to remove the scopes from your authorization request, and see if something breaks :) As usual, please do this is test environment before production…

Postface

This issue will probably concern other technologies than ASP.NET Framework and ASP.NET Core projects as well, but of course those are my main concerns. That’s why the code examples are for them :)

Hopefully, if you’re relying on Google Plus APIs while using Google’s OAuth in your Java or PHP projects, you might still get the basic idea on what to do by reading this post!

Also, if you want to test if your code changes had the desired effect, you can disable the Google+ API already yourself. If everything goes like it should, you shouldn’t have to do anything about the user accounts already in the database with this method.

How to disable the Google Plus API from your project?

The API that’s being deprecated is called Google+ API. Plain and simple!

This is the URL you’ll need to browse to. Just log in and choose your project: https://console.developers.google.com/apis/library/plus.googleapis.com?q=plus

Google+ API on Google's Developer console. This one is going away on 7.3.2019.
Google+ API on Google’s Developer console. This one is going away on 7.3.2019.

Go ahead and hit “Disable” on that guy, if it’s enabled for your project. It’ll happen eventually anyway, so you can just start the suffering already.

The following two tabs change content below.
mm

Antti K. Koskela

Solutions Architect / Escalations Engineer at Koskila / Norppandalotti Software / Valo Solutions
Antti Koskela is a proud digital native nomadic millenial full stack developer (is that enough funny buzzwords? That's definitely enough funny buzzwords!), who works as a Solutions Architect for Valo Intranet, the product that will make you fall in love with your intranet. Working with the global partner network, he's responsible for the success of Valo deployments happening all around the world. He's been a developer from 2004 (starting with PHP and Java), and he's been bending and twisting SharePoint into different shapes since MOSS. Nowadays he's not only working on SharePoint, but also on .NET projects, Azure, Office 365 and a lot of other stuff. This is his personal professional (e.g. professional, but definitely personal) blog.

Leave a Reply

avatar
5000
  Subscribe  
Notify of