The Changes to OAuth 2.0 endpoint

 

In the coming weeks we will be making three changes to the experimental OAuth 2.0 endpoint. We expect the impact to be minimal, and we’re emailing developers who are most likely to be affected.

We will be releasing these changes on November 15, 2011. This post describes the changes, their impact, and how they can be mitigated.

Change #1: Error responses for client-side web applications

The first change relates to the way errors are returned in OAuth 2.0 client-side web applications. It does not impact server-side, native, or device flows.

The current behavior of the OAuth 2.0 endpoint in certain error conditions is to return the error to the application as a query string parameter, for example:

https://www.example.com/back?error=access_denied.

The OAuth 2.0 specification indicates that the error should be returned in the fragment of the response. We are updating our OAuth 2.0 implementation to support the most recent draft of the specification. As a result, we will be changing the way we return errors to applications in the client-side flow.

As an example, today an error returns to your application as

https://www.example.com/back?error=access_denied. After this change, it will be returned as

https://www.example.com/back#error=access_denied.

There is no mitigation for this change, so your application will have to handle these types of errors in client-side script.

Change #2: Offline access as a separate parameter

The second change impacts the OAuth 2.0 server-side flow only. It does not impact client-side, native, or device flows. For context, this flow consists of the following steps:

  1. Redirect the browser to the Google OAuth 2.0 endpoint.
  2. The user will be shown a consent page.
  3. If the user consents, parse the authorization code from the query string of the response.
  4. Exchange the authorization code for a short-lived access token and a long-lived refresh token.

Once your application has obtained a long-lived refresh token (step 4), it may access a Google API at any time. This means server-side applications do not require the end-user to be present when obtaining new access tokens. We’re calling this type of access offline.

The client-side flow, in contrast, requires the user to be present when obtaining an access token. This type of access is called online.

With this change, we will be exposing online and offline access as a separate parameter that’s available only in the server-side flow.

When your application requests offline access, the consent page shown to a user will reflect that your application requests offline access and your application will receive an access and a refresh token. Once your application has a refresh token, it may obtain a new access token at any time.

When your application requests online access, your application will only receive an access token. No refresh token will be returned. This means that a user must be present in order for your application to obtain a new access token.

If unspecified in the request, online is the default.

A mitigation for this change is described at the end of this post.

Change #3: Server-side auto-approval

This change also impacts the OAuth 2.0 server-side flow only.

In the current implementation of OAuth2, every time your application redirects a user to Google, that user must give explicit consent before an authorization code is given to your application. As a result, sending a user through the flow another time requires them to see the consent screen again. Most applications don’t do this, but rather use the existing server-side flow as it was intended: a one-time association (import contacts, calendar operations, etc.) where the result is a refresh token which may be used to obtain new access tokens.

The behavior is changing to the following:

  • Users will only see the consent screen on their first time through the sequence.
  • If the application requests offline access, only the first authorization code exchange results in a refresh token.

To put it another way, consent will be auto-approved for returning users unless the user has revoked access. Refresh tokens are not returned for responses that were auto-approved.

The next section describes how to mitigate this change.

Mitigation of offline access (#2) and auto-approval (#3) changes

If you want to keep the existing behavior in your server-side applications, include the approval_prompt=force and access_type=offline parameters in an authorization code request.

For example, if the following is a target URL for obtaining an authorization code today:

https://accounts.google.com/o/oauth2/auth?
client_id=21302922996.apps.googleusercontent.com&
redirect_uri=https://www.example.com/back&
scope=https://www.google.com/m8/feeds/&
response_type=code

You can maintain the current behavior by changing the target URL to:

https://accounts.google.com/o/oauth2/auth?
client_id=21302922996.apps.googleusercontent.com&
redirect_uri=https://www.example.com/back&
scope=https://www.google.com/m8/feeds/&
response_type=code&
access_type=offline&
approval_prompt=force

You may start including these parameters in authorization code requests today.

Google Code-In Final Statistics

Thank you to all of the participants in Google Code-In, a contest designed to introduce pre-university students from around the world to the many possibilities for participation in the open source community.

The contest was a great success with 361 students (ages 13-18) from 48 countries completing a total of 2,167 tasks during the 7 week contest period. The students completed 769 Easy tasks, 798 Medium level tasks and 600 Difficult tasks during Google Code-In. We are thrilled with the response and the quality of work completed for the contest and look forward to seeing more from these talented students in the future.

The top 10 countries with the highest number of participants were, in order: The United States, Romania, Bulgaria, The Russian Federation, India, Poland, Canada, Germany, Italy, and Australia.

We would also like to extend a huge thank you to our 20 mentoring organizations and administrators from all over the globe, who through their guidance and encouragement are introducing young coders to the numerous ways to contribute to diverse open source projects.

Please stay tuned as we announce the Google Code-In contest winners on Monday, February 14th.

BigQuery, meet Google Spreadsheets

Since announcing BigQuery at Google IO last May, we’ve been very excited by the response and feedback we’ve received from the developer community, enterprises and academia. The one consistent request we heard from everyone is the ability to interactively analyze large volumes of data without having to worry about provisioning, maintaining and scaling infrastructure.

Today, we would like to announce the integration of BigQuery with Google Apps Script and Google Spreadsheets, a feature we first demoed at Google IO. With this integration users now have the power to query multi-billion row tables, visualize the results and share them with others. Below you can see a simple script that queries a sample dataset and plots the results. A simple tutorial is available here with more to come soon.

We’ve seen a big uptake of the APIs (released in October) which let you create, populate and delete tables in BigQuery. Users have been loading more and more data in BigQuery. For instance the current M-Lab dataset in BigQuery stands at 240B rows!

The details of BigQuery and new features are available on the BigQuery website. We are gradually adding more developers during this free preview period. Please sign up for an invitation, and let us know about the creative and valuable ways you’re using BigQuery.