passport-google-oauth2 icon indicating copy to clipboard operation
passport-google-oauth2 copied to clipboard

Published 20 hours ago verified publisher icon jaredhanson

Is there a way to use this strategy without having to enable Google Plus API?

Open spacecowboy858 opened this issue 9 years ago • 4 comments

Now that Google is decoupling Google+ from their services are there any plans on having this passport strategy independent from having to enable the Google+ API from the developer console?

spacecowboy858 avatar May 21 '16 21:05 spacecowboy858

@charleswinin, yes this can be done. I was looking into the same thing myself and ended up reading a bunch of Google documentation and passport code to sort it out. Wherever you are currently providing the clientID and clientSecret options for this passport strategy, add an userProfileURL option:

options: {
  clientID: SECRET,
  clientSecret: SECRET,
  userProfileURL: "https://www.googleapis.com/oauth2/v3/userinfo",
  scope: ['email']
}

A few notes:

  • This doesn't work with other correct urls such as https://www.googleapis.com/userinfo/v2/me. I've created a PR to fix this.
  • It appears that this information was in the README at some point but was taken out? See https://github.com/jaredhanson/passport/issues/115.

Unfortunately Google's documentation is such a mess that it's not clear to me what the differences between different oAuth2 profile URLs are. The two that I mentioned here seem to provide the same information but I was only able to find (https://www.googleapis.com/userinfo/v2/me) in the docs. The one that I recommend you use for now, (https://www.googleapis.com/oauth2/v3/userinfo) I found inside the tests for this package. They seem to provide the same profile information. I have no idea what long term support for the different URLs will be like.

wwalser avatar Jun 01 '16 02:06 wwalser

@jaredhanson Any updates on this? It would be very nice to get the information above into the documentation

LinusU avatar Sep 16 '16 17:09 LinusU

this is going to become more an more of an issue since google moved to the oauth app verification process. The library implicitly needs access to the scope https://www.googleapis.com/auth/plus.me with the default userProfileURL whereas one would expect the scope https://www.googleapis.com/auth/userinfo.profile being used. @wwalser's solution works but this is likely a pitfall for many and should therefore be in the readme at least. I would vote to change the default.

So for anyone coming here because they are debugging the "unverified app" screen for their app's OAuth Developer Verification. You either need to request access to the https://www.googleapis.com/auth/plus.me scope to make passport-google-oauth work or change the userProfileURL as suggested above.

zoellner avatar Feb 01 '18 22:02 zoellner

The information above about the different user profile URL is extremely helpful - it gets back the previous behavior from older applications using Google OAuth2, in which users were prompted only for their identity, not for their approximate age. The Google+ thing is interesting, but feels like it could be an optional switch to be requested if needed rather than the default?

kylecordes avatar Aug 12 '18 04:08 kylecordes