Migrate from Google+ sign-in

Steps to minimize the impact of scope changes on users

  1. If your application requires the email address of an authenticated user, and you've previously used profile.emails.read for that purpose, use email instead.
  2. Obtain approval for profile.emails.read with an approved verification request. Refer to How do I submit for verification?
  3. Revoke the prior user token to the scope that's to be removed or remove access to the application entirely. For example, a token with profile.emails.read access should be revoked. We recommend you apply the revocation while your users are in your application so that you can get user consent immediately.
  4. Prompt your users to re-consent with the new scope, such as email, without profile.emails.read.
  5. Remove the scope that's to be phased out of your Google APIs OAuth consent screen configuration.

To migrate your app from Google+ Sign-In to Google Sign-In, you need to update your sign-in button, requested scopes, and instructions on how to retrieve profile information from Google. Follow our Google Sign In for Android documentation for full instructions.

When you update your sign-in button, do not refer to G+ or use the color red. Conform to our updated branding guidelines.

Most Google+ Sign-In applications requested some combination of the scopes: plus.login, plus.me and plus.profile.emails.read. By using GoogleSignInOptions.Builder with the DEFAULT_SIGN_IN option, you will automatically request the profile scope which provides the user’s name and profile picture. If you also want the user’s email address, you should call .requestEmail() when constructing Google sign-in options.

Many implementers of Google+ Sign-In used the code flow. This means that the Android, iOS or JavaScript apps obtain an OAuth authorization code from Google, and the client sends that code back to the server, along with cross-site request forgery protection. The server then validates the code and obtains refresh and access tokens to pull user profile information from the people.get API.

Google now recommends that you request an ID token and send the ID token from your client to your server. ID tokens have cross-site forgery protections built-in and also can be statically verified on your server, which avoids an extra API call to get user profile information from Google’s servers. Follow the instructions to validate ID tokens on your server.

If you still prefer to use the code flow to obtain profile information, you may do so. Once your server has an access token, you need to obtain user profile information from the userinfo endpoints specified in our Sign-In Discovery document. The API response is formatted differently than the Google+ profile response, so you need to update your parsing to the new format.

If you are using GoogleAuthUtil.getToken or Plus.API, you should migrate to the newest Sign-In API for greater security and a better user experience.