I've received an e-mail from Google warning me that my Google App Script projects will be impacted by their coming (January 28, 2019 - March 7, 2019) Google+ API shutdown.
Hello Google+ Developer,
The email below contains your most recent usage of Google+ APIs. Note: It includes Google+ OAuth scope requests, which are also affected by the Google+ shutdown. A prior email sent to active API callers did not include information about OAuth requests. One final reminder email will be sent in February to users who still have active API or OAuth request activity.
What do I need to know? On March 7, 2019, all Google+ APIs and Google+ Sign-in will be shut down completely. This will be a progressive shutdown, with API calls starting to intermittently fail as early as January 28, 2019, and OAuth requests for Google+ scopes starting to intermittently fail as early as February 15, 2019.
What do I need to do? Please update your projects listed below by March 7, 2019 and ensure they are no longer using Google+ APIs, or requesting Google+ OAuth scopes. The data below shows which Google+ API methods your projects have recently called, as well as Google+ OAuth scopes it has requested. Note: If you see calls to people.get, these can be the result of using the Google+ Sign-In feature in your application, which is now fully deprecated and is being shut down. Developers should migrate from the Google+ Sign-In feature to the more comprehensive Google Sign-in authentication system.
The e-mail is explicit about the fault in my projects, providing the following location details:
Project...............:My_GAS_Project_Name
Google+ API Name......:OAuth
Version...............:N/A
Method or OAuth Scope.:plus.me
But I think this is a false positive.
I'm using the OAuth API but not the Google+ API. I've searched for the following strings; "plus" and "+" in my code and found no references anywhere*.
*Yes there are "+"'s everywhere but everyone of them is accounted for as a string concatenation operation.
This is the OAuth function in the project:
function _getAuthenticationToken_() {
// Check we have access to the service
var service = getService();
if (!service.hasAccess()) {
var authorizationUrl = service.getAuthorizationUrl();
_log_('INFO', 'Open the following URL and re-run the script: ' + authorizationUrl);
return;
}
Logger.log('Passed Authentication');
//Get the Access Token
return service.getAccessToken();
function getService() {
// Create a new service with the given name. The name will be used when
// persisting the authorized token, so ensure it is unique within the
// scope of the property store.
return OAuth2.createService('jlr-edw-dev-service')
// Set the endpoint URLs, which are the same for all Google services.
.setAuthorizationBaseUrl('https://accounts.google.com/o/oauth2/auth')
.setTokenUrl('https://accounts.google.com/o/oauth2/token')
// Set the client ID and secret, from the Google Developers Console.
.setClientId(CLIENT_ID)
.setClientSecret(CLIENT_SECRET)
// Set the name of the callback function in the script referenced
// above that should be invoked to complete the OAuth flow.
.setCallbackFunction('authCallback')
// Set the property store where authorized tokens should be persisted.
.setPropertyStore(PropertiesService.getUserProperties())
// Set the scopes to request (space-separated for Google services).
// this is admin access for the sqlservice and access to the cloud-platform:
.setScope(
'https://www.googleapis.com/auth/sqlservice.admin ' +
'https://www.googleapis.com/auth/cloud-platform')
//Removed because this Should be covered by cloud-platform
//'https://www.googleapis.com/auth/devstorage.read_write '
// Below are Google-specific OAuth2 parameters.
// Sets the login hint, which will prevent the account chooser screen
// from being shown to users logged in with multiple accounts.
.setParam('login_hint', Session.getActiveUser().getEmail())
// Requests offline access.
.setParam('access_type', 'offline')
// Forces the approval prompt every time. This is useful for testing,
// but not desirable in a production application.
.setParam('approval_prompt', 'force');
}
function authCallback(request) {
var cloudSQLService = getService();
var isAuthorized = cloudSQLService.handleCallback(request);
if (isAuthorized) {
_log_('INFO', 'Access Approved');
return HtmlService.createHtmlOutput('Success! You can close this tab.');
} else {
_log_('INFO', 'Access Denied');
return HtmlService.createHtmlOutput('Denied. You can close this tab');
}
}
}
Should I ignore the warning from Google or is there anything else I can check to confirm these projects are not at risk?
I should add that the projects are exposed via the Google App Script Execution API and their functions are being executed via a Java program based on the the Google example. Only projects that are accessed in this way have been flagged.
More details added in response to DaImTo's comment.
The only libraries turned on in the projects resources is the OAuth:
The Google+ API and People API are both off:
The API dashboard for the project doesn't include Google+ either:
UPDATE
I think I might know what's happening now. The diagram below illustrates the components.
1) These are the scopes extracted from the Java program used to execute the Google App Script. They include the scope "https://www.googleapis.com/auth/userinfo.email".
2) This is the Google OAuth2 API, v2 scopes documentation.
3) These are the scopes granted to the Google App Script project. Based on the descriptive name it looks like "plus.me" has been included, i.e. "Know who you are on Google = https://www.googleapis.com/auth/plus.me".
So for some reason while requesting access to "https://www.googleapis.com/auth/userinfo.email" the request was extended to include "https://www.googleapis.com/auth/plus.me". I think this might occurred because "serinfo.email" has been deprecated, described here.
RESOLVED
Further communication from Google has clarified that it was indeed a false positive and no code changes are required.
Dear Developer,
Earlier this week we sent you an email related to your projects that will be impacted by the Google+ API shutdown, which also affects requests for Google+ OAuth scopes.
The email listed that one or more of your projects are requesting the “plus.me” scope, and would thus be affected. We would like to clarify that only projects directly requesting the “plus.me” scope are affected. This scope may have been listed in some emails, even if not directly requested by your project. We apologize for any confusion caused.
If you are directly requesting the “plus.me” scope, any other Google+ OAuth scopes, or making any Google+ API calls, please ensure that you remove these requests from your project before March 7, 2019.
To see if your project is directly requesting the “plus.me” or any other Google+ OAuth scopes:
• If your project is written in Google Apps Script, you can view which scopes your project is requesting by reviewing your project properties in App Script Editor.
• If your project is not written in Google Apps Script, please check your code for references to “plus.me” in OAuth scope requests. We recommend that you review projects using any 3rd-party libraries that support sign-in or social functionality, as these may also be affected by the shutdown.
Thanks for being a valued Google+ Developer.
Sincerely, The Google+ API team
