11

Google recently sent me an email with the following:

One or more of your web applications uses the legacy Google Sign-In JavaScript library. Please migrate your project(s) to the new Google Identity Services SDK before March 31, 2023

The project in question uses the Google Drive API alongside the now legacy authentication client.

The table on the migration page (https://developers.google.com/identity/gsi/web/guides/migration) says:

Old New Notes
JavaScript libraries
apis.google.com/js/platform.js accounts.google.com/gsi/client Replace old with new.
apis.google.com/js/api.js accounts.google.com/gsi/client Replace old with new.

I was currently using gapi on the front-end to perform authorization which is loaded from apis.google.com/js/api.js. According to the table I would need to replace it with the new library.

I've tried the following to authenticate and authorize in the same manner that I used to do with gapi:

window.google.accounts.id.initialize({
  client_id: GOOGLE_CLIENT_ID,
  callback: console.log,
  scope: "https://www.googleapis.com/auth/drive.file",
  discoveryDocs: ["https://www.googleapis.com/discovery/v1/apis/drive/v3/rest"],
});

window.google.accounts.id.renderButton(ref.current, {
  size: "medium",
  type: "standard",
});

However, when I try to authenticate with the Google Sign In button, the scope field is not respected and it does not ask the user to authorize the requested scopes. It also doesn't return any form of access token in the Credential Response in the callback.

I'm not sure how else to authorize using the new library.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
Abir Taheer
  • 2,502
  • 3
  • 12
  • 34
  • It probably has to do with the fact that its identity signin which uses the scopes of profile, email. What your trying to do is add Oauth2 scopes to it. Im not sure it was designed for that use in mind. – Linda Lawton - DaImTo Aug 17 '21 at 10:51
  • I'll leave the question unanswered in case there is a way to do it all in one request but what I'm doing right now is using the authorization endpoint and using the login hint to ask the user to approve the scope without them needing to select their account again. https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow – Abir Taheer Aug 17 '21 at 17:44
  • new gsi based login system will provide token which contains user id(sub), email, name and profile pic.. what else more need to register/login user? – user1844933 Sep 08 '21 at 16:06

2 Answers2

14

In the new Google Identity Services, the authentication moment and the authorization moment are separated. This means GIS provides different APIs for websites to call on these two different moments. You cannot combine them together in one API call (and UX flow) any more.

In the authentication moment, users just sign in or sign up into your website (by leveraging the information shared by Google). The only decision users need to make is whether they want to sign in (or sign-up). No authorization-related decision needs to be made at this point.

In the authentication moment, users will see consistent One Tap or button UX across all websites (since the same scopes are requested implicitly). Consistency leads to more smooth UX, which may further lead to more usage. With the consistent and optimized authentication UX (across all websites), users will have a better experience with federated sign-in.

After users sign-in, when you really want to load some data from a Google data service, you can call the GIS authorization API to trigger a UX flow to allow end users to grant the permission. That's the authorization moment.

Currently (August 2021), only authentication API has been published. If your website only cares about authentication, you can migrate to GIS now. If you also need the authorization API, you have to wait for further notice.

John Washam
  • 4,073
  • 4
  • 32
  • 43
Guibin
  • 734
  • 3
  • 5
  • this answer is very helpful! Does that mean that if I use Google Sign-In for authentication, I need to generate my own access and refresh tokens? That way I know the user actually signed in and have access to restricted endpoints? – chris Sep 06 '21 at 16:30
  • @Guibin after user authentication in our login page google gis onetap login provides token googleUser.credential which includes his ID(sub), name, email, and profile picture here question shouldn't we store theses details in our db as user registration? – user1844933 Sep 08 '21 at 15:52
  • Thanks for the information. Is there any official google document or link providing more input about timelines etc? – Julian Kleine Sep 13 '21 at 14:31
  • 1
    this information is very helpfull if true but i think that without any reference it lacks authourity. such information would have to come from google surely. can i ask how you discovered this. do you just reason this to be logical or can you provide the source of this information? – user2897377 Oct 11 '21 at 07:15
  • 1
    @chris did you find how to refresh expired tokens? I can't find where to get the refresh token – Luis Miguel Oct 13 '21 at 04:47
  • The authorization API was launched. More details at: https://developers.google.com/identity/oauth2/web/guides/choose-authorization-model – Guibin Apr 19 '22 at 18:19
  • @user2897377 here is official documentation that says the same thing. Authentication and Authorization are now separate. https://developers.google.com/identity/gsi/web/guides/overview#separated_authentication_and_authorization_moments – Joshua Dance Sep 16 '22 at 22:52
4

To add to the current answer, there is now documentation on how to authorize users with additional scope. From Using the token model.

First you need to init a TokenClient:

const client = google.accounts.oauth2.initTokenClient({
  client_id: 'YOUR_GOOGLE_CLIENT_ID',
  scope: 'https://www.googleapis.com/auth/calendar.readonly',
  callback: (response) => {
    ...
  },
});

Then request for a token:

client.requestAccessToken();

If anyone is interested in where it's mentioned in the migration documentation, last paragraph of this section:

If your use case includes authorization, please read How user authorization works and Migrate to Google Identity Services to make sure your application is using the new and improved APIs.

While their articles are very detailed and good, personally I find them a bit too much for me, so it's simpler for me to just follow the first article mentioned and don't care about migrations at all.

Luke Vo
  • 17,859
  • 21
  • 105
  • 181
  • Actually, I don't see this in the documentation for the sign in platform: https://developers.google.com/identity/gsi/web/guides/migration Could you reference where you found this property/method? – Abir Taheer Mar 16 '22 at 23:26
  • 1
    @AbirTaheer I just added that part to the answer. The link you gave is for `Google Sign-in button`, which is nice and simple if that's all you need. For more advanced use cases, you need the full library docs at https://developers.google.com/identity/oauth2/web/guides/overview – Luke Vo Mar 17 '22 at 00:32
  • Just have in mind that `client.requestAccessToken` must be performed after user interaction, otherwise it will fail. – Jorjon Mar 16 '23 at 00:37
  • @Jorjon you are correct. It is performed by opening a popup, which would fail on most browsers if it's not from a user interaction. – Luke Vo Mar 16 '23 at 01:48