This article explains the recent changes made to Google OpenID and OAuth 2.0 along with the corresponding updates to the 3.0.0 RC release of Google OAuth middleware.
Here we will first look at the experience of using Google OAuth middleware in an MVC application with the OWIN 2.1.0 release bits. We will then explain the current changes to Google OAuth API and implications on applications that would continue to use the 2.1.0 version of the packages. Finally we will look at the changes made in the recent 3.0.0 RC release of Google middleware.
Deprecated Google OpenID 2.0
In the Visual Studio 2013 RTM and Update 1 releases, the MVC web applications template using Individual Authentication used Google OpenID by default. The below code (found in Startup.Auth class) registered the middleware
As of April 20, 2014 the Open ID was deprecated by Google and hence using Google OpenID for external login would throw an error as below
Google OAuth in OWIN 2.1.0 middleware
Applications can solve the above issue by using the Google OAuth 2.0 in the application. This is done by navigating to Google Developer Console to create a new project under users Google account and use the keys. For more detailed information on how to create an application and get the keys check this link.
Once the keys are obtained the they are used to register the middleware in the Startup.Auth as below
ClientId = "XXXXX.apps.googleusercontent.com",
ClientSecret = "XXXXXXXXXX"
This should allow applications using Google middleware version 2.1.0 to use Google as an external authentication provider. For a complete sample, see MVC 5 App with Facebook, Twitter, LinkedIn and Google OAuth2 Sign-on.
Changes to Google OAuth 2.0 and updates to Google middleware
On September 1, 2014 Google will deprecate the earlier version of OAuth 2.0 and will no longer support it. To accommodate these changes, the recent 3.0.0 RC release of Google middleware has been updated. For more information on the changes to the OAuth 2.0 login from Google, please refer this link.
Once the current application is updated to the 3.0.0. RC bits, using Google as an external authentication provider may fail. Below is the screen shot of the Fiddler trace with the failure message for a default MVC application:
The end point for the OAuth has been changed to https://www.googleapis.com/plus/v1/people/me and needs changes to the application created on the developer console.
To make these change, go to Google Console where the application is created. Navigate to the ‘APIs’ tab under the ‘APIS & AUTH’ section and you can see that for the app the Google+ API are not enabled by default.
Click on ‘OFF’ and read and accept the terms to enable the Google+ API. Now run the application and try to login using Google. Logging in should be a success.
This article showed the previous experience of using Google as an external login provider and the upcoming changes in Google OAuth 2.0 and the corresponding updates to Google middleware in the 3.0 RC release. These are some of the updates that are included in the new 3.0.0 RC release of other middlewares as well. Please provider feedback on issues in this article or on codeplex (https://katanaproject.codeplex.com/workitem/list/basic). You can also follow me on Twitter (@suhasbjoshi).
Thanks to Praburaj, Chris and Rick for reviewing the article