Steps to minimize the impact of scope changes on users
- If your application requires the email address of an authenticated user, and you've previously used
profile.emails.readfor that purpose, use
- Obtain approval for
profile.emails.readwith an approved verification request. Refer to How do I submit for verification?
- Revoke the prior user token to the scope that's to be removed or remove access to the application entirely. For example, a token with
profile.emails.readaccess should be revoked. We recommend you apply the revocation while your users are in your application so that you can get user consent immediately.
- Prompt your users to re-consent with the new scope, such as
- Remove the scope that's to be phased out of your Google APIs OAuth consent screen configuration.
To migrate your app from Google+ Sign-In to Google Sign-In, you need to update your sign-in button, requested scopes, and instructions on how to retrieve profile information from Google. Follow our Google Sign In for Android documentation for full instructions.
When you update your sign-in button, do not refer to G+ or use the color red. Conform to our updated branding guidelines.
Most Google+ Sign-In applications requested some combination of the scopes:
plus.profile.emails.read. By using
GoogleSignInOptions.Builder with the
DEFAULT_SIGN_IN option, you will
automatically request the
profile scope which provides the user’s name and
profile picture. If you also want the user’s email address, you should call
.requestEmail() when constructing Google sign-in options.
Many implementers of Google+ Sign-In used the
code flow. This means
Google, and the client sends that code back to the server, along with cross-site
request forgery protection. The server then validates the code and obtains
refresh and access tokens to pull user profile information from the
Google now recommends that you request an ID token and send the ID token from your client to your server. ID tokens have cross-site forgery protections built-in and also can be statically verified on your server, which avoids an extra API call to get user profile information from Google’s servers. Follow the instructions to validate ID tokens on your server.
If you still prefer to use the code flow to obtain profile information,
you may do so. Once your server has an access token, you need to
obtain user profile information
userinfo endpoints specified in our Sign-In
Discovery document. The API
response is formatted differently than the Google+ profile response, so you
need to update your parsing to the new format.
If you are using
Plus.API, you should
to the newest Sign-In API for greater security and a better user experience.