Google oAuth 2.0 new authorization and token endpoint

6
votes

I will update my code for Google oAuth2.0 web-views disallow warning. I found the authorization and token endpoints had changed in document.

I use the endpoint as follows since 2014.

  1. "accounts.google.com/o/oauth2/auth"
  2. "accounts.google.com/o/oauth2/token"

new endpoint as follows

  1. "accounts.google.com/o/oauth2/v2/auth"
  2. "www.googleapis.com/oauth2/v4/token"

I try my code for old and new endpoint. It works on all endpints. Can I still use old endpoints? or Have expired date for old endpoints?

Thanks!

1
google-oauth
I haven't heard anything about the old endpoints being deprecated. However if there are newer ones I would always use the newest. There seams to be something in the documentation about some features only working with the old endpoint. Pinging someone at Google for clarification.DaImTo

1 Answers

6
votes

In order to be fully compliant with the OpenIDConnect spec, We created the new endpoints because we didn't want to break existing developers. So the new endpoints are OpenIDConnect complaint (and tools find them through discovery doc). There are minor changes (I don't remember all of them at the moment) .. e.g. issuer in the id_token is https://accounts.google.com instead of accounts.google.com

Since many new open source tools in the future (which you may use) will be OpenIDConnect complaint, I suggest using the new ones. We don't have any plans to deprecate the old ones but will continue to monitor the usage and decide if it is worth deprecating if all the traffic shifts to new ones.