G Suite Developers Blog: Upcoming changes to OAuth 2.0 endpoint

G Suite Developers Blog

Information for G Suite Developers

Upcoming changes to OAuth 2.0 endpoint

October 11, 2011

Editor's note: This post by Google Senior Product Manager Justin Smith has been cross-posted from the Google Code blog because we think it'll be of great interest to Google Apps developers. -- Ryan BoydIn the coming weeks we will be making three changes to the experimental OAuth 2.0 endpoint. We expect the impact to be minimal, and we’re emailing developers who are most likely to be affected.November 15, 2011Change #1: Error responses for client-side web applicationsOAuth 2.0 client-side web applicationshttps://www.example.com/back?error=access_denied.https://www.example.com/back?error=access_deniedhttps://www.example.com/back#error=access_deniedChange #2: Offline access as a separate parameterOAuth 2.0 server-side

Redirect the browser to the Google OAuth 2.0 endpoint.

The user will be shown a consent page.

If the user consents, parse the authorization code from the query string of the response.

Exchange the authorization code for a short-lived access token and a long-lived refresh token.

offlineonlineonlineofflineofflineofflineonlineonlineChange #3: Server-side auto-approvalOAuth 2.0 server-sidesending a user through the flow another time requires them to see the consent screen again

Users will only see the consent screen on their first time through the sequence.

If the application requests offline access, only the first authorization code exchange results in a refresh token.

Mitigation of offline access (#2) and auto-approval (#3) changesapproval_prompt=forceaccess_type=offlinehttps://accounts.google.com/o/oauth2/auth? client_id=21302922996.apps.googleusercontent.com& redirect_uri=https://www.example.com/back& scope=https://www.google.com/m8/feeds/& response_type=code https://accounts.google.com/o/oauth2/auth? client_id=21302922996.apps.googleusercontent.com& redirect_uri=https://www.example.com/back& scope=https://www.google.com/m8/feeds/& response_type=code& access_type=offline& approval_prompt=force Questions?https://groups.google.com/forum/#!forum/OAuth 2.0-dev

Justin Smith

Justin Smith is a Product Manager who works on authentication and authorization technologies at Google. He enjoys woodworking, cycling, country music, and the company of his wife (not necessarily in that order).