Google API userinfo request returning more information than I need

1
votes

I've just received an email from Google warning me that our application uses Google+ APIs that will soon be shut down. This was a surprise, because we don't knowingly use any Google+ APIs. The email specifies that we use the plus.me method or OAuth scope.

I suspect that the warning might be generated because when we request access to the Google Calendar API we also ask for the userinfo.email scope so that we can remind the user which account we're publishing to. The complete list of scopes that we request for this application is:

https://www.google.com/calendar/feeds/

https://www.googleapis.com/auth/userinfo.email

To fetch the email address, we use:

https://www.googleapis.com/oauth2/v3/userinfo?alt=json&access_token=xxx

However, this returns more than just the email address that we're interested in:

{
  "sub":"xxx",
  "name":"John Smith",
  "given_name":"John",
  "family_name":"Smith",
  "profile":"https:\/\/plus.google.com\/xxx",
  "picture":"https:\/\/lh3.googleusercontent.com\/xxx/photo.jpg",
  "email":"[email protected]",
  "email_verified":true
}

Does this sound like a plausible explanation as to why Google are warning us about use of plus.me?

Does anyone know whether the "profile" value in the response will simply disappear after the Google+ shutdown, or whether I need to find a different way of requesting the email address?

What would be a better way of requesting only the account's email address that avoids any potential problems related to the Google+ shutdown?

Edited to add

I've just received the following clarification email from Google that makes it sound like my panic over the original email was unwarranted:

Dear Developer,

Earlier this week we sent you an email related to your projects that will be impacted by the Google+ API shutdown, which also affects requests for Google+ OAuth scopes.

The email listed that one or more of your projects are requesting the “plus.me” scope, and would thus be affected. We would like to clarify that only projects directly requesting the “plus.me” scope are affected. This scope may have been listed in some emails, even if not directly requested by your project. We apologize for any confusion caused.

If you are directly requesting the “plus.me” scope, any other Google+ OAuth scopes, or making any Google+ API calls, please ensure that you remove these requests from your project before March 7, 2019.

To see if your project is directly requesting the “plus.me” or any other Google+ OAuth scopes:

If your project is written in Google Apps Script, you can view which scopes your project is requesting by reviewing your project properties in App Script Editor. If your project is not written in Google Apps Script, please check your code for references to “plus.me” in OAuth scope requests. We recommend that you review projects using any 3rd-party libraries that support sign-in or social functionality, as these may also be affected by the shutdown. Thanks for being a valued Google+ Developer.

Sincerely, The Google+ API team

1
oauthgoogle-apigoogle-oauthuserinfo

1 Answers

0
votes

I think that email about using "plus.me" is a google bug. Im using only scope "https://www.googleapis.com/auth/userinfo.email" (which is the same as "email") but google in that email warns me that Im using "plus.me". When I check my API console I see there 3 scopes which are greyed out and can not be deleted. When I hover at "profile" there is "https://www.googleapis.com/auth/plus.me" Using https://www.googleapis.com/auth/plus.me is not safe because of google plus shutdown but "profile" should by OK. Presenting "profile" as plus.me is misleading. I think google does not manage shutting google+ down well.

enter image description here

Params sub, profile, picture (scope "openid") are always included. If you use just scope "email", params of "openid" scope will be still included. But name given_name family_name you should not have - I see it only for "profile" scope. I have tested your two scopes and that 3 params I did not get after requesting https://www.googleapis.com/oauth2/v3/userinfo

I think that google has also bug on user consent screen. Because I tried to use separately scopes "openid" "profile" "email" but on screen is always the same text To continue, Google will share your name, email address, and profile picture with Example.com. But in the fact if "email" scope is not requested the email is not provided in response data... but google says to user that email will be shared.

Btw you can change scope "https://www.googleapis.com/auth/userinfo.email" to just "email". Only google specific scopes need full URI.

UPDATE

Yes, as expected that email was a bug. Google just send correction email...

[Correction] Google+ APIs being shutdown on March 7, 2019

Dear Developer,

Earlier this week we sent you an email related to your projects that will be impacted by the Google+ API shutdown, which also affects requests for Google+ OAuth scopes.

The email listed that one or more of your projects are requesting the “plus.me” scope, and would thus be affected. We would like to clarify that only projects directly requesting the “plus.me” scope are affected. This scope may have been listed in some emails, even if not directly requested by your project. We apologize for any confusion caused.

...