Tag Archives: oauth

Federated Credential Management (FedCM) Migration for Google Identity Services

Posted by Gina Biernacki, Product Manager

Chrome is phasing out support for third-party cookies this year, subject to addressing any remaining concerns of the CMA. A relatively new web API, Federated Credential Management (FedCM), will enable sign-in for the Google Identity Services (GIS) library after the phase out of third-party cookies. Starting in April, GIS developers will be automatically migrated to the FedCM API. For most developers, this migration will occur seamlessly through backwards-compatible updates to the GIS library. However, some websites with custom integrations may require minor changes. We encourage all developers to experiment with FedCM, as previously announced through the beta program, to ensure flows will not be interrupted. Developers have the ability to temporarily exempt traffic from using FedCM until Chrome enforces the restriction of third-party cookies.

Audience

This update is for all GIS web developers who rely on the Chrome browser and use:

One Tap, or

Automatic Sign-In

Context

As part of the Privacy Sandbox initiative to keep people’s activity private and support free experiences for everyone, Chrome is phasing out support for third-party cookies, subject to addressing any remaining concerns of the CMA. Scaled testing began at 1% in January and will continue throughout the year.

GIS currently uses third-party cookies to allow users to sign up and sign in to websites easily and securely by reducing reliance on passwords. The FedCM API is a new privacy-preserving alternative to third-party cookies for federated identity providers. It allows Google to continue providing a secure, streamlined experience for signing up and signing in to websites. Last August, the Google Identity team announced a beta program for developers to test the Chrome browser’s new FedCM API supporting GIS.

What to Expect in the Migration

Partners who offer GIS’s One Tap and Automatic Sign-In features will automatically be migrated to FedCM in April. For most developers, this migration will occur seamlessly through backwards-compatible updates to the GIS JavaScript library; the GIS library will call the FedCM APIs behind the scenes, without requiring any developer changes. The new FedCM APIs have minimal impact to existing user flows.

Some Developers May be Required to Make Changes

Some websites with custom integrations may require minor changes, such as updates to custom layouts or positioning of sign-in prompts. Websites using embedded iframes for sign-in or a non-compliant Content Security Policy may need to be updated. To learn if your website will require changes, please review the migration guide. We encourage you to enable and experiment with FedCM, as previously announced through the beta program, to ensure flows will not be interrupted.

Migration Timeline

If you are using GIS One Tap or Automatic Sign-in on your website, please be aware of the following timelines:

January 2024: Chrome began scaled testing of third-party cookie restrictions at 1%.

April 2024: GIS begins a migration of all websites to FedCM on the Chrome browser.

Q3 2024: Chrome begins ramp-up of third-party cookie restrictions, reaching 100% of Chrome clients by the end of Q4, subject to adddressing any remaining concerns of the CMA.

Once the Chrome browser restricts third-party cookies by default for all Chrome clients, the use of FedCM will be required for partners who use GIS One Tap and Automatic Sign-In features.

Checklist for Developers to Prepare

✅ Be aware of migration plans and timelines that will affect your traffic. Determine your migration approach. Developers will be migrated by default starting in April.

✅ All developers should verify that their website will be unaffected by the migration. Opt-in to FedCM to test and make any necessary changes to ensure a smooth transition. For developers with implementations that require changes, make changes ahead of the migration deadline.

✅ For developers that use Automatic Sign-In, review the FedCM changes to the user gesture requirement. We recommend all automatic sign-in developers migrate to FedCM as soon as possible, to reduce disruption to automatic sign-in conversion rates.

✅ If you need more time to verify FedCM functionality on your site and make changes to your code, you can temporarily exempt your traffic from using FedCM until the enforcement of third-party cookie restrictions by Chrome.

To get started and learn more about FedCM, visit our developer site and check out the google-signin tag on Stack Overflow for technical assistance. We invite developers to share their feedback with us at [email protected].

Source: Google for Developers Blog - News about Web, Mobile, AI and Cloud

Improving user safety in OAuth flows through new OAuth Custom URI scheme restrictions

Posted by Vikrant Rana, Product Manager

OAuth 2.0 Custom URI schemes are known to be vulnerable to app impersonation attacks. As part of Google’s continuous commitment to user safety and finding ways to make it safer to use third-party applications that access Google user data, we will be restricting the use of custom URI scheme methods. They’ll be disallowed for new Chrome extensions and will no longer be supported for Android apps by default.

Disallowing Custom URI scheme redirect method for new Chrome Extensions

To protect users from malicious actors who might impersonate Chrome extensions and steal their credentials, we no longer allow new extensions to use OAuth custom URI scheme methods. Instead, implement OAuth using Chrome Identity API, a more secure way to deliver OAuth 2.0 response to your app.

What do developers need to do?

New Chrome extensions will be required to use the Chrome Identity API method for authorization. While existing OAuth client configurations are not affected by this change, we strongly encourage you to migrate them to the Chrome Identity API method. In the future, we may disallow Custom URI scheme methods and require all extensions to use the Chrome Identity API method.

Disabling Custom URI scheme redirect method for Android clients by default

By default, new Android apps will no longer be allowed to use Custom URI schemes to make authorization requests. Instead, consider using Google Identity Services for Android SDK to deliver the OAuth 2.0 response directly to your app.

What do developers need to do?

We strongly recommend switching existing apps to use the Google Identity Services for Android SDK. If you're creating a new app and the recommended alternative doesn’t work for your needs, you can enable the Custom URI scheme method for your app in the “Advanced Settings” section of the client configuration page on the Google API Console.

User-facing error message

Users may see an “invalid request” error message if they try to use an app that is making unauthorized requests using the Custom URI scheme method. They can learn more about this error by clicking on the "Learn more" link in the error message.

User-facing error example

Developer-facing error message

Developers will be able to see additional error information when testing user flows for their applications. They can get more information about the error by clicking on the “see error details” link, including its root cause and links to instructions on how to resolve the error.

Developer-facing error example

Related content

https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html

Source: Google for Developers Blog - News about Web, Mobile, AI and Cloud

Announcing Federated Credential Management (FedCM) Beta for Google Identity Services

Posted by Gina Biernacki, Product Manager

Today, the Google Identity team is announcing a beta program for developers to test our integration with the Chrome browser’s new FedCM (Federated Credential Management) API.

Audience

This update is for all Google Identity Services (GIS) web developers who rely on the Chrome browser and use:

One Tap, or

Auto Sign-In

Why FedCM

GIS currently uses third-party cookies to enable users to easily sign up and sign in to websites, making sign-in more secure for users by reducing reliance on passwords. However, as part of the Privacy Sandbox initiative, Chrome is phasing out support for third-party cookies in 2024 to protect user privacy online.

The W3C FedID community group developed the FedCM API as a new privacy-preserving alternative to third-party cookies for federated identity providers. This new FedCM solution enables Google to continue providing a secure, streamlined experience for signing up and signing in to websites via GIS.

The benefits of FedCM include:

Improved privacy. As part of its design, FedCM prevents identity providers from viewing users' activity across the web without their permission, keeping privacy central in user interactions.

High-quality user experience. FedCM enables GIS to rely on a new browser-native UI, resulting in a faster, more consistent sign-in experience for users across websites and across identity providers. This new browser-provided user experience takes inspiration from prior versions of the GIS library, making the transition easier for users and developers.

Additional browser support. We expect other browsers to support FedCM, such as Firefox and other Chromium-based browsers like Edge, Opera, and Samsung browsers. We are excited to support a consistent, low-friction sign-in experience across the web.

What is changing for GIS developers

We expect to migrate developers using GIS’s One Tap and Auto Sign-In features to FedCM over the next year as a result of the Chrome browser’s plans to deprecate third-party cookies. For most developers, this migration will occur seamlessly through backwards-compatible updates to the GIS JavaScript library; the GIS JavaScript library will call the FedCM APIs behind the scenes, without any developer changes required. However, some websites may require minor changes, such as updates to custom layouts or positioning of sign-in prompts. To learn if your website may require changes, please review the migration guide article, and we encourage you to participate in the FedCM beta program.

More on the FedCM User Experience

With FedCM, GIS will continue to offer a seamless user experience, even when third-party cookies are no longer available. The new FedCM APIs have minimal changes to existing user flows and websites. The updated One Tap and Auto Sign-In user prompts are shown below:

Image of Google identity Services One Tap user experience using FedCM API

GIS One Tap user experience using FedCM API

Auto Sign-In user experience using FedCM API

Timeline

GIS will migrate traffic to FedCM gradually beginning in November 2023, with minimal changes required for most developers. If you are using GIS One Tap or Auto Sign-in on your website, please be aware of the following timelines:

August 2023: Developers have the ability to participate in a GIS FedCM beta release. We also encourage all new apps to participate in the FedCM beta from the start.

Early 2024: We will begin a gradual transition of developers to FedCM, reaching 100% in mid-2024, to support the Chrome browser’s announced plans to block third-party cookies by default starting in the second half of 2024.

Early 2024: Chrome intends to begin scaled testing of third-party cookie blocking in advance of their aforementioned plans.

Once the Chrome browser blocks third-party cookies by default, the use of FedCM will be required for GIS One Tap to function.

Join our Beta program to prepare

We encourage all our developers to participate and test the FedCM APIs in our beta program available today, so you can prepare for these upcoming changes. To get started and learn more about the program, visit our developer site and check out the google-signin tag on Stack Overflow for technical assistance. We invite developers to share their feedback on the FedCM beta program with us at [email protected].

Source: Google for Developers Blog - News about Web, Mobile, AI and Cloud

New Features Available in the Google Identity Services (GIS) Library

Posted by Gina Biernacki, Product Manager

At Google, we're committed to making authentication safer and easier for our developers, so users can easily access the apps and websites they love. Google Identity Services (GIS) continues to advance and further develop our authentication solutions that offer immense value to our partner ecosystem, including highly requested features including a new verified phone number directly embedded in our authentication flows.

For developers, our focus has always been to offer a frictionless experience that makes it easier for users to onboard and return to partner platforms, while also helping developers create a trusted relationship with their users.

What’s New

Today we are announcing a few new features that are now available across our libraries:

Android

Verified Phone Number on Android
Phone Hint on Android

Web

One Tap on Intelligent Tracking Prevention (ITP) Browsers

iOS and macOS

Added macOS Support

Android

Verified Phone Number

As an identity provider, we are making it seamless for developers to supplement additional user data leveraging the user’s Google Account, while ensuring clear user consent is woven into the experience. We understand that phone numbers are a critical piece of account management, both for our users in mobile-first markets and for our developers that require increased identity verification or two-step verification.

On Android devices, developers can now request users to share a verified phone number associated with their Google Account as part of the sign-up flow. Developers have shared with us that safeguarding their users through SMS verification represents a significant cost to their business. Now developers can simply request a phone number from the user, which has already been verified by Google, decreasing their overall SMS costs during the onboarding process.

Verified Phone Number is now available on GIS for Android and we plan to expand to other surfaces in the future.

Phone Number Hint

Another way a developer can request a user’s phone number is through the new Phone Number Hint API on Android devices. Phone Number Hint allows developers to call an API where users can share a phone number from the SIM cards of their device, independent of a sign up or sign in flow. This API is preferred over the native Android API call as it does not require any additional permissions, reducing time and effort for our developers. Phone Number Hint API does not require a user to be signed in to their Google account and does not save any information to the Google account.

Web

One Tap on ITP Browsers

ITP (Intelligent Tracking Prevention) browsers restrict the use of third party cookies, preventing the tracking of users across the web. GIS One Tap is now available on ITP browsers, including Safari, Firefox and Chrome on iOS. This creates a One Tap experience that’s consistent across multiple platforms, for both users and developers. Our developers prefer One Tap for many reasons:

increasing user conversion
Industry leading security
reduced risks associated with password management
allowing sign in and sign up without redirecting users to a dedicated sign in / up page
mitigate duplicate accounts with personalized prompts and automatic sign-in on return visits

The One Tap UX on ITP browsers will start with a warm welcome page as shown below.

Once the user chooses to continue, a popup window will be opened. The UX in the popup window is similar to the standard One Tap user experience.

We will roll out this new feature by default on October 12, 2022 to all developers who have enabled One Tap. Refer to our documentation to begin supporting One Tap on ITP browsers immediately or to opt-out of default support.

iOS and macOS

macOS Platform Expansion

Over the last few years, the Apple ecosystem has expanded to include a number of distinct platforms (iOS, iPadOS, macOS, tvOS, watchOS). As a step toward supporting the broader Apple ecosystem, we have launched macOS support as part of Google Sign-In for iOS and macOS. This provides support for the core GIS experiences (authentication, authorization, and token storage) for native macOS apps.

Deprecations

Upcoming Deprecations

In addition to new features available in the GIS library, we also want to remind our developers about upcoming deprecations.

Smart Lock for Passwords on Android Deprecation
Google Sign-In for Websites Deprecation

Smart Lock for Passwords Deprecation

We are announcing the deprecation of the Smart Lock for Passwords Android SDK, which handles password saving and retrieval, ID token requests, and sign-in hint retrieval. You can now find all Smart Lock for Passwords functionality available in the GIS library. We recommend all developers now use the GIS library for new functionality. For existing integrations, Smart Lock for Passwords traffic will be redirected to the GIS library by default, without any changes needed by developers.

Google Sign-In for Websites Deprecation

We would like to remind our developers that on March 31, 2023 we will fully retire the Google Sign-In JavaScript Platform Library for web applications. Please check if this affects your web application, and if necessary, to plan for a migration.

We are excited to see these new features continue to bring measurable value to both our developers and users, and look forward to continuing supporting our developers with their identity-related needs. Please visit our developer site to get started.

Source: Google Developers Blog

How to integrate your web app with Google Ads

TL;DR: You can now have a web application integrated with Google Ads in just a few minutes!

Google Ads

Google Ads is an online advertising platform where advertisers can create and manage their Google marketing campaigns. The Google Ads API is the modern programmatic interface to Google Ads and the next generation of the AdWords API. It enables developers to interact directly with the Google Ads platform, vastly increasing the efficiency of managing large or complex Google Ads accounts and campaigns.

A typical use case is when a company wants to offer Google ads natively on their platform to their users. For example, customers who have an online store with Shopify can promote their business using Google ads, with just a few clicks and without needing to go to the Google Ads platform. They’re able to do it directly on Shopify’s platform—the Google Ads API makes this possible.

Demo App

Francisco Blasco, Strategic Technical Solutions Manager at Google, designed and built an open source web application that is integrated with Google Ads and Business Profile (aka Google My Business).

Anyone can use the app, called Fran Ads, to save significant time on product development. Just follow the simple installation steps in the README files (frontend README file and backend README file) on the GitHub repo! The app uses React for the frontend, and Django for the backend; two of the most popular web frameworks.

App's Logo

Check out a product demo here! You can have this app running in your local machine in a few minutes. To learn how, check out the video tutorial.

Blasco acts as an external Product Manager for Google’s strategic partners, driving the entire product development lifecycle. He created this project to help Google’s partners and businesses seeking to offer Google Ads to their users.

The goal is to accelerate the Google Ads integration process and decrease associated development costs. Some companies are using Fran Ads to see what an integration looks like, while others are using the technical guide to learn how to start using the Google Ads API.

In general, companies can use Fran Ads as an SDK to begin working with elements within the Google Ads API, and serve as a guidance system for integrating with Google. This project will minimize the number of times the wheel needs to be reinvented, accelerating innovation and facilitating adoption. Developers can clone the code repositories, follow the steps, and have a web app integrated with Google Ads in just a few minutes. They can adapt and build on top of this project, or they can just use the functions they need for the features they want to develop.

App Architecture

Furthermore, you will learn how to create credentials to consume Google APIs; specifically, the README files show how to create a project on Google Cloud Platform (GCP), and how to set it up correctly so a web app can consume Google Ads API and Business Profile APIs.

Also, you will learn how refresh tokens work for Google APIs, and how to manage them for your web application.

Francisco wrote a detailed technical guide explaining how to build every feature of the app. Some of the most important features are:
1. Create a new Google Ads account
2. Link an existing Google Ads account

3. OAuth authentication & authorization

4. Refresh token management

5. List of Google Ads accounts associated with Google account

6. Reporting on performance for all campaign types

7. Create Smart Campaign (automated ads on Google and across the web)

8. Edit Smart Campaign settings

As you can see from the list above, the app will create Smart Campaigns — a simplified, automated campaign designed for new advertisers and SMBs

Google made public the suggestion services through the Google Ads API. Fran Ads uses those services to recommend keyword themes, headlines & descriptions for the ad, and budget. These recommendations are specific for each advertiser, depending on several factors such as type of business, location, and keyword themes.

An example of three Google recommendations for an advertiser.

The image above shows the final step of creating a Smart Campaign on Fran Ads. In this step, users have to set a daily budget for the campaign. Not only will you receive recommendations for the budget, but an estimate of how many ad clicks you will get per month. This is a great feature for users who are new to digital marketing and aren’t aware of their spending needs.

You can also see an alert message that the budget can be changed anytime, so users can pause spending on the campaign. This is important because many new users, especially SMBs, have doubts about spending on something new. Therefore, it is important to communicate to them that the decision they are making at that moment is not set in stone.

When you start using Fran Ads, you will see there is guidance so users complete the tasks they want.

Guidance on how to complete tasks based on Google’s best practices.

Furthermore, the app is designed based on Google’s best practices. For example, when users are creating a Smart Campaign, in step three (see the above image) they need to select keyword themes (group of keywords). If you choose “bakery” as the keyword theme, your ad is eligible to show when people search for “bakery near me”, “local bakery”, and “cake shop”.

Google’s best practices suggest that advertisers use between seven and ten keyword themes per campaign. Therefore, Fran Ads is designed for users to select up to seven keyword themes. Refer to the image of step three when creating a Smart Campaign on Fran Ads. However, you can set it to ten if you like.

The technical guide also provides:

1. Production-ready code for both the frontend and backend

2. Engineering flow diagrams

3. Best practices

4. High-fidelity mockups

5. App architecture and structure diagrams

6. Workarounds to current bugs on Google Ads API v9

7. Important information on how to handle important tasks necessary for integrating your platform with Google Ads

8. Help with the design strategy for the UX and design elements of the UI.

Important resources

See below the list summarizing the important resources that will help you integrate with Google Ads easier, faster, and better.

1. Frontend repo: all the code for the frontend of Fran Ads.

2. Backend repo: all the code for the backend of Fran Ads.

3. Technical guide: 3 sections: ‘Before Starting’, ‘Configurations & Installation’, and ‘Build web app’. In section 3, you have explanations on how to build all the features of the app.

4. Product demo: 15-minute demo of Fran Ads showing many core features.

5. Video tutorial: 17-minute tutorial on how to set up and run Fran Ads.

By Francisco Blasco – Launch, Channel Partners

Source: Google Open Source Blog

Discontinuing authorization support for the Google Sign-In JavaScript Platform Library

Posted by Brian Daugherty, Product Solutions Engineer

Last year, we announced our plan to deprecate the Google Sign-In JavaScript Platform Library for web applications.

On March 31, 2023 we will fully retire the Google Sign-In JavaScript Platform Library and would like to remind you to check if this affects your web application, and if necessary, to plan for a migration.

Beginning April 30th, 2022 new applications must use the Google Identity Services library, existing apps may continue using the Platform Library until the deprecation date.

What does this mean for you?

Evaluate if you are affected by the deprecation and your need to Migrate to Google Identity Services.
Complete your migration prior to March 31, 2023, after which the Platform Library will no longer be available for download and web apps relying upon deprecated authorization features to obtain access tokens for calling Google APIs will no longer work as intended.

Are you affected?

To protect users' personal information across the web, Google continues to make signing into apps and services secure by default. Delivering on this promise, we announced Google Identity Services, our family of Identity APIs that consolidate multiple identity offerings under one software development kit (SDK). Recently, we released an update to the Google Identity Services library, adding user authorization and data sharing features based on OAuth 2.0. Due to numerous security and privacy improvements, the new Identity Services library is not fully backward compatible with all features and functionality found in the older Platform Library, and so a migration to the new library and code changes are necessary.

The deprecation applies to web apps loading the Google Sign-In JavaScript Platform Library and apps using the Google API Client Library for JavaScript with access tokens.

If your web pages use the apis.google.com/js/api.js or apis.google.com/js/client.js JavaScript modules to load the Platform Library, you are affected and need to update your existing implementation to use the new Identity Services client library.

Web applications using gapi.client from the Google API Client Library implicitly load and use the Platform Library’s soon to be deprecated gapi.auth2 module when working with access tokens to call Google APIs. Updates to your web app to explicitly include the new Identity Services library, manage access token requests, and replace auth2 module references with newer equivalent methods are necessary.

Your full suite of apps and platforms may be using different methods of authentication and authorization from Google. The following are NOT affected by this deprecation announcement:

Android or iOS native app SDKs,
Backend platforms directly calling Google’s OAuth 2.0 or OpenID services.

Migration

Authorization and authentication functionalities are clearly separated in the new Identity Services library.

There are two guides to help you with migration:

(1) migrate to Google Identity Services for user authorization and obtaining access tokens for use with Google APIs, and
(2) migrating from Google Sign-In for user authentication and sign-in.

Your web application may use both authorization (to call Google APIs), and authentication (to manage user sign-in to your app). If this is the case, you’ll need to follow both migration guides to ensure separation of user authorization and authentication flows in your web application.

The migration guides are written to help you understand how the new Identity Services library differs from prior libraries, what these changes are, how to separate authentication from authorization, and how these changes affect both your users and your codebase.

Changes and benefits

Migration to our new Identity Services library includes a number of changes and benefits:

Pop-ups provide a more secure, reduced UX friction way to authorize your web app without having to use redirects or require users to leave your site.
Increased privacy and control by default: users approve individual scopes, and only when they are needed, improving how much, and when, sensitive data may be shared with your web app.
Separate ID token and access token credentials clearly distinguish user identity from application capabilities. Individual credentials are easier to separate, manage, or store based upon their level of risk. An identity may convey only who you are and offer a lower level of risk when compared to an access token with capabilities to read/write sensitive user data.
Forward compatibility with Chromium Privacy sandbox changes.

This is a brief summary of privacy, security, and usability changes found in the new Identity Services library, additional detail is available in the migration guides.

How to get help

Visit our developer site for more information and check out the google-oauth tag on Stack Overflow for technical assistance. You can also offer your suggestions and feedback by sending an email to [email protected].

Source: Google Developers Blog

Making Google OAuth interactions safer by using more secure OAuth flows

Posted by Vikrant Rana, Product Manager and Badi Azad, Group Product Manager, Google

At Google, we constantly strive to provide safer ways for users to sign-in and share their Google account data with third-party applications. In the spirit of that work, we will be rolling out a set of protections against phishing and app impersonation attacks during the OAuth interactions.

The Google sign-in and authorization flows are powered by the Google OAuth platform and over the years we have developed and supported a number of ways for app developers to integrate with supported OAuth flows. With the goal of keeping users safer online, we will end support for two legacy flows and will require developers to migrate to alternative implementation methods that offer greater protections.

To ensure a smooth transition and avoid any service interruption we will give ample time to implement and meet the compliance dates which are specified below. We will share further updates on this rollout via email so please make sure your support email address is up to date in project settings on the Google API console.

Loopback IP address flow will be disallowed for native iOS, Android and Chrome OAuth client types

The Loopback IP address flow is vulnerable to man in the middle attack where a malicious app, accessing the same loopback interface on some operating systems, may intercept the OAuth response and gain access to the authorization code. We intend to remove this threat vector by disallowing this flow for iOS, Android and Chrome app OAuth client types. The existing clients will be able to migrate to more secure implementation methods. New clients will be unable to use this flow starting on March 14, 2022.

What do I need to do

Determine if your app is using the Loopback IP address flow

You can inspect your app code or the outgoing network call (in case your app is using an OAuth library) to determine if the Google OAuth authorization request your app is making has the following values for “redirect_uri” parameter.

redirect_uri=http://127.0.0.1:port or http://[::1]:port">http://[::1]:port or

http://localhost:port

Migrate to an alternative flow

If your app is using the Loopback IP address method you need to migrate to another method which is more secure by default. Please consider the following alternative methods for migration.

iOS clients: Google Sign-In for iOS SDK
Android clients: Google Sign-In for Android SDK
Chrome clients: Chrome Identity API

Key dates for compliance

Mar 14, 2022 - new OAuth usage will be blocked for the Loopback IP address flow
Aug 1, 2022 - a user-facing warning message may be displayed to non-compliant OAuth requests one month before the compliance date
Aug 31, 2022 - the Loopback IP address flow is blocked for existing clients

OAuth out-of-band (oob) flow will be deprecated

OAuth out-of-band (OOB) is a legacy flow developed to support native clients which do not have a redirect URI like web apps to accept the credentials after a user approves an OAuth consent request. The OOB flow poses a remote phishing risk and clients must migrate to an alternative method to protect against this vulnerability. New clients will be unable to use this flow starting on Feb 28, 2022.

What do I need to do

Determine if your app is using the OOB flow

redirect_uri=urn:ietf:wg:oauth:2.0:oob or urn:ietf:wg:oauth:2.0:oob:auto or oob

Migrate to an alternative flow

If your app is using the OOB method you need to migrate to another method which is more secure by default. Please consider the following alternative methods for migration.

iOS clients: Google Sign-In for iOS SDK
Android clients: Google Sign-In for Android SDK
Chrome clients: Chrome Identity API
Desktop clients: OAuth 2.0 for Desktop apps

Key dates for compliance

Feb 28, 2022 - new OAuth usage will be blocked for the OOB flow
Sep 5, 2022 - a user-facing warning message may be displayed to non-compliant OAuth requests
Oct 3, 2022 - the OOB flow is deprecated for existing clients

User-facing warning message

A user-facing warning message may be displayed for non-compliant requests one month before the aforementioned OAuth methods are due to be blocked. The message will convey to the users that the app may be blocked soon while displaying the support email that you have registered in the OAuth consent screen in Google API Console.

[Sample user-facing warning]

The developers can acknowledge the user-facing warning message and suppress it by passing a query parameter in the authorization call as shown below.

Go to the code in your app where you send requests to Google's OAuth 2.0 Authorization Endpoint.
Add a parameter with a value of the enforcement date

For OOB: Add an ack_oob_shutdown parameter with a value of the enforcement date: 2022-10-03. Example: ack_oob_shutdown=2022-10-03
For Loopback IP address: Add an ack_loopback_shutdown parameter with a value of the enforcement date: 2022-08-31. Example: ack_loopback_shutdown=2022-08-31

User-facing error message

If an app is not updated to meet compliance by the required date the authorization requests will be blocked and users may encounter an invalid request error screen (sample shown below).

[Sample user-facing error]

Source: Google Developers Blog

Making Google OAuth interactions safer by using more secure OAuth flows

Posted by Vikrant Rana, Product Manager and Badi Azad, Group Product Manager, Google

Loopback IP address flow will be disallowed for native iOS, Android and Chrome OAuth client types

What do I need to do

Determine if your app is using the Loopback IP address flow

redirect_uri=http://127.0.0.1:port or http://[::1]:port">http://[::1]:port or

http://localhost:port

Migrate to an alternative flow

If your app is using the Loopback IP address method you need to migrate to another method which is more secure by default. Please consider the following alternative methods for migration.

iOS clients: Google Sign-In for iOS SDK
Android clients: Google Sign-In for Android SDK
Chrome clients: Chrome Identity API

Key dates for compliance

Mar 14, 2022 - new OAuth usage will be blocked for the Loopback IP address flow
Aug 1, 2022 - a user-facing warning message may be displayed to non-compliant OAuth requests one month before the compliance date
Aug 31, 2022 - the Loopback IP address flow is blocked for existing clients

OAuth out-of-band (oob) flow will be deprecated

What do I need to do

Determine if your app is using the OOB flow

redirect_uri=urn:ietf:wg:oauth:2.0:oob or urn:ietf:wg:oauth:2.0:oob:auto or oob

Migrate to an alternative flow

If your app is using the OOB method you need to migrate to another method which is more secure by default. Please consider the following alternative methods for migration.

iOS clients: Google Sign-In for iOS SDK
Android clients: Google Sign-In for Android SDK
Chrome clients: Chrome Identity API
Desktop clients: OAuth 2.0 for Desktop apps

Key dates for compliance

Feb 28, 2022 - new OAuth usage will be blocked for the OOB flow
Sep 5, 2022 - a user-facing warning message may be displayed to non-compliant OAuth requests
Oct 3, 2022 - the OOB flow is deprecated for existing clients

User-facing warning message

[Sample user-facing warning]

The developers can acknowledge the user-facing warning message and suppress it by passing a query parameter in the authorization call as shown below.

Go to the code in your app where you send requests to Google's OAuth 2.0 Authorization Endpoint.
Add a parameter with a value of the enforcement date

For OOB: Add an ack_oob_shutdown parameter with a value of the enforcement date: 2022-10-03. Example: ack_oob_shutdown=2022-10-03
For Loopback IP address: Add an ack_loopback_shutdown parameter with a value of the enforcement date: 2022-08-31. Example: ack_loopback_shutdown=2022-08-31

User-facing error message

If an app is not updated to meet compliance by the required date the authorization requests will be blocked and users may encounter an invalid request error screen (sample shown below).

[Sample user-facing error]

Source: Google Developers Blog

Announcing authorization support for Google Identity Services APIs

Posted by Rohey Livne, Product Manager

Google Identity Services (GIS)

At Google, keeping users safe online is our top priority, so we continuously invest in new tools and features to keep their personal information secure.

In August 2021, we launched a new family of Identity APIs called Google Identity Services (GIS), which consolidates multiple identity offerings under one web software development kit (SDK). This SDK includes the Sign in with Google button as well as One Tap, a low-friction authentication prompt. Sign in with Google and One Tap use secure tokens, rather than passwords, to sign users into sites and apps.

Today we are announcing the addition of an authorization feature, all under the same unified Google Identity Services SDK, which further increases the value of our suite of identity solutions and makes it simpler for developers to implement.

Caption: Authorization screen with individual consent options

What's new

The updated library now provides a ‘one-stop-shop’ for developers across both authentication and authorization. Authentication enables new user sign ups and returning user sign ins, while authorization allows developers to receive an access token to call Google APIs, with the user’s consent.

To provide developers with more control, the new SDK supports a clear separation between authentication and authorization moments. This enables partners to make authentication and authorization calls as two separate and distinct flows based on the needs of the site or app.

Benefits

The new SDK uses browser-based pop-up dialogues, which reduces user friction on sites and apps, streamlines authentication and authorization flows, and increases user engagement.

In addition, the removal of automatic refresh of expired access tokens enhances the overall security of the flows, requiring an end user to explicitly refresh their session, preventing long standing tokens from being used for unintended purposes.

Furthermore, the new consolidated library reduces integration complexity minimizing development time and effort. To simplify integration even further, we provide pre-scripted easy to use code snippets that can be copied and pasted directly onto partner sites.

Users who take advantage of Google’s authentication or authorization flows benefit from Google’s leading security infrastructure, offering two factor authentication, password recovery flows, and have the peace of mind that all sites and apps with authorization enabled, have been verified by Google.

We continue to improve our solutions as part of the migration to Google Identity Services (GIS), so look out for more capabilities added throughout the year.

To take advantage of the new Google Identity Services (GIS) library, head over to Google’s Developer site and click on the ‘Get Started’ button for access to technical documentation.

Source: Google Developers Blog

Ads API apps must complete OAuth verification

Last year, the OAuth scopes used by the following Ads APIs were classified as sensitive, requiring developers to complete the OAuth verification process for their Google Cloud projects:

Google Ads API & AdWords API
- https://www.googleapis.com/auth/adwords
Content API for Shopping
- https://www.googleapis.com/auth/content
DoubleClick Bid Manager API
- https://www.googleapis.com/auth/doubleclickbidmanager

Any remaining OAuth clients using the above scopes that remain unverified may have their existing credentials revoked and lose access to the above APIs if they do not complete the OAuth verification process as soon as possible.

Certain apps may qualify for one of the exceptions for app verification. If your application meets any one of those exceptions, follow the steps listed for the appropriate use case. If not, you must complete OAuth verification to continue using these Ads APIs.

If you have any questions or need additional help, contact us using any of the following support options:

Google Ads API & AdWords API: [email protected]
Content API for Shopping: support forum
DoubleClick Bid Manager API: support contact form

Adam Ohren, Google Ads API Team

Audience

Context

What to Expect in the Migration

Some Developers May be Required to Make Changes

Migration Timeline

Checklist for Developers to Prepare

Source: Google for Developers Blog - News about Web, Mobile, AI and Cloud

Source: Google for Developers Blog - News about Web, Mobile, AI and Cloud

Audience

Why FedCM

What is changing for GIS developers

More on the FedCM User Experience

Timeline

Join our Beta program to prepare

Source: Google for Developers Blog - News about Web, Mobile, AI and Cloud

What’s New

Android

Web

iOS and macOS

Deprecations

Source: Google Developers Blog

Important resources

Source: Google Open Source Blog

What does this mean for you?

Are you affected?

Migration

Changes and benefits

How to get help

Source: Google Developers Blog

Determine if your app is using the Loopback IP address flow

Migrate to an alternative flow

Determine if your app is using the OOB flow

Migrate to an alternative flow

Source: Google Developers Blog

Determine if your app is using the Loopback IP address flow

Migrate to an alternative flow

Determine if your app is using the OOB flow

Migrate to an alternative flow

Source: Google Developers Blog

Source: Google Developers Blog

Source: Google Ads Developer Blog