Aspnetcore: [Announcement] Google+ based auth deprecation and replacement

Created on 8 Jan 2019  路  29Comments  路  Source: dotnet/aspnetcore

Google is starting to shut down Google+ Signin for applications as early as January 28th 2019. ASP.NET and ASP.NET Core have been using the Google+ Signin APIs to authenticate Google account users in web applications. The affected NuGet packages are Microsoft.AspNetCore.Authentication.Google for ASP.NET Core and Microsoft.Owin.Security.Google for Microsoft.Owin with ASP.NET Web Forms and MVC. Mitigations and solutions will vary depending on which package and which version of that package you use.

Note that the replacement APIs Google has provided use a different data source and format. The mitigations and solutions given below account for the structural changes but applications will need to verify the data itself still satisfies their requirements. E.g. names, e-mail addresses, profile links, profile photos, etc. may provide subtly different values than before.

Microsoft.Owin with ASP.NET Web Forms and MVC

For Microsoft.Owin 3.1.0 and later a temporary mitigation is outlined here. Applications should do immediate testing with the mitigation to check for changes in the data format. We'll plan to release Microsoft.Owin 4.0.1 with a fix for this as soon as possible. Applications using any prior version will need to update to 4.0.1.

ASP.NET Core 1.x

The mitigation given above for Microsoft.Owin can also be adapted for ASP.NET Core 1.x. As 1.x is nearing end of life and has low usage there are no plans to patch the NuGet packages for this issue.

ASP.NET Core 2.x

For Microsoft.AspNetCore.Authentication.Google 2.x the mitigation is to replace your existing call to AddGoogle in Startup with:
```c#
.AddGoogle(o =>
{
o.ClientId = Configuration["Authentication:Google:ClientId"];
o.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
o.UserInformationEndpoint = "https://www.googleapis.com/oauth2/v2/userinfo";
o.ClaimActions.Clear();
o.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "id");
o.ClaimActions.MapJsonKey(ClaimTypes.Name, "name");
o.ClaimActions.MapJsonKey(ClaimTypes.GivenName, "given_name");
o.ClaimActions.MapJsonKey(ClaimTypes.Surname, "family_name");
o.ClaimActions.MapJsonKey("urn:google:profile", "link");
o.ClaimActions.MapJsonKey(ClaimTypes.Email, "email");
});

Applications should do immediate testing with the mitigation to check for changes in the data format. Expect a fix for this to be included in the February 2.1 and 2.2 patches that incorperates the above reconfiguration as the new defaults. No patch is planned for 2.0 since it has reached [end of life](https://dotnet.microsoft.com/platform/support-policy).

### ASP.NET Core 3.0 Preview
The mitigation given for 2.x can also be used for the current 3.0 preview. In future 3.0 previews we're considering removing the Microsoft.AspNetCore.Authentication.Google package and directing users to Microsoft.AspNetCore.Authentication.OpenIdConnect instead. We'll follow up with the final plan. Here's how to replace `AddGoogle` with `AddOpenIdConnect` in `Startup`. This replacement can be used with ASP.NET Core 2.0 and later and can be adapted for 1.x as needed.
```c#
            .AddOpenIdConnect("Google", o =>
            {
                o.ClientId = Configuration["Authentication:Google:ClientId"];
                o.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
                o.Authority = "https://accounts.google.com";
                o.ResponseType = OpenIdConnectResponseType.Code;
                o.CallbackPath = "/signin-google"; // Or register the default "/sigin-oidc"
                o.Scope.Add("email");
            });
            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
area-security
Source
picture Tratcher
👍17 🎉2

Most helpful comment

Update: Microsoft.AspNetCore.Authentication.Google 2.2.2 and 2.1.8 have been published to nuget.org with this fix.

picture Tratcher on 19 Feb 2019
👍2

All 29 comments

What about the samples?
https://github.com/aspnet/AspNetCore/tree/master/src/AuthSamples/samples/Identity.ExternalClaims

JesperNoerregaard picture JesperNoerregaard on 9 Jan 2019
👎2

These two lines might need to change, but that's about it:
https://github.com/aspnet/AspNetCore/blob/89ef21514694323e5ea5b304061464c26b373dbf/src/AuthSamples/samples/Identity.ExternalClaims/Startup.cs#L43-L44

Tratcher picture Tratcher on 9 Jan 2019

Is this just about AddGoogle?
There are more methods like AddTwitter,AddFacebook,AddMicrosoftAccount.

xsoheilalizadeh picture xsoheilalizadeh on 12 Jan 2019

Correct, only Google.

Tratcher picture Tratcher on 12 Jan 2019

Update:

Microsoft.Owin.Security.Google 4.0.1 has been published to nuget.org with this fix.

The fix will be available soon in ASP.NET Core 3.0.0-preview2.

The ASP.NET Core 2.1 and 2.2 patches are expected as part of the normal February patch release.

Tratcher picture Tratcher on 25 Jan 2019

The method for ASP.NET Core 2.x seems to only be getting nameidentifier and name (that is actually the email address). I might be mistaken but I can't find given_name, family_name, link or the actual email field in the claims returned.

mattgenious picture mattgenious on 14 Feb 2019

@mattgenious Are you looking under these claim types?
https://github.com/aspnet/AspNetCore/blob/4a5b6ea169a368adba54eef303a040a4206041f4/src/Security/Authentication/Google/src/GoogleOptions.cs#L28-L33

Tratcher picture Tratcher on 14 Feb 2019

Yes, when I check at runtime what actually is retrieved the result is as I described. But again, I might be missing something or misunderstanding something.

mattgenious picture mattgenious on 14 Feb 2019

Is it an account specific issue? Do you get the same behavior with other accounts?

Tratcher picture Tratcher on 14 Feb 2019
👍1

I鈥檒l get back to you on that as I鈥檝e only tried with g suite accounts until now.

mattgenious picture mattgenious on 14 Feb 2019

Tested it and I'm seeing the same results for both g suite and standard google accounts.

mattgenious picture mattgenious on 15 Feb 2019

Found my mistake, I was not correctly persisting the claims, so at runtime I was not getting them because they were not persisted in my db. Sorry about that

mattgenious picture mattgenious on 15 Feb 2019

Update: Microsoft.AspNetCore.Authentication.Google 2.2.2 and 2.1.8 have been published to nuget.org with this fix.

Tratcher picture Tratcher on 19 Feb 2019
👍2

To clarify, use the solutions in the first message of this thread and don't follow the advice which the exception gives you:

An error occurred when retrieving Google user information (Forbidden). Please check if the authentication information is correct and the corresponding Google+ API is enabled

You're not required to enable any API in order to sign in with Google.

Merely having correctly configured OAuth credentials (done here) should be enough. By clicking the "Configure a project" button mentioned in the different guides, an OAuth 2.0 Client ID called "OAuth client" will be created.

bjorn-ali-goransson picture bjorn-ali-goransson on 12 Jun 2019

@bjorn-ali-goransson indeed, that message is out of date. I've added a note to fix it next time we work on those. https://github.com/aspnet/AspNetCore/issues/4684#issuecomment-501256499

Tratcher picture Tratcher on 12 Jun 2019

I'm trying to use this configuration with 3.0.0-preview7 but I get the following exception.

System.InvalidOperationException: Unexpected error occurred loading external login info for user with ID 'a30f7262-3fcf-4812-ac46-aa5e84c9ae83'.
   at Microsoft.AspNetCore.Identity.UI.V4.Pages.Account.Manage.Internal.ExternalLoginsModel`1.OnGetLinkLoginCallbackAsync()
   at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.ExecutorFactory.GenericTaskHandlerMethod.Convert[T](Object taskAsObject)
   at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.ExecutorFactory.GenericTaskHandlerMethod.Execute(Object receiver, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeHandlerMethodAsync()
   at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeNextPageFilterAsync()
   at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.Rethrow(PageHandlerExecutedContext context)
   at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeInnerFilterAsync()
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|24_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)
   at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.MigrationsEndPointMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

I have the following packages installed

<PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="3.0.0-preview7.19365.7"/> <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="3.0.0-preview7.19365.7"/> <PackageReference Include="Microsoft.AspNetCore.Identity.UI" Version="3.0.0-preview7.19365.7"/> <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="3.0.0-preview7.19362.6"/> <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="3.0.0-preview7.19362.6"/> <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="3.0.0-preview7.19365.7"/>

marcuslindblom picture marcuslindblom on 9 Aug 2019

@HaoK ?

Tratcher picture Tratcher on 9 Aug 2019

Yeah that's usually the error you get when the google account was already linked to another user, we are fixing that to be an error message instead of an exception in 3.0.

HaoK picture HaoK on 9 Aug 2019

Ok. Is it possible to unlink the account? The strange thing is that I have like 5 google accounts and none of them works. Pretty strange isn't it?

marcuslindblom picture marcuslindblom on 9 Aug 2019

You should be able to login via google which will take you to the correct account and then manage/unlink and you can relink it to the one you want

HaoK picture HaoK on 9 Aug 2019

If I understand you correctly, I should go to account.google.com, login and go back to https://localhost:5001/Manage/Unlink? That URL does not exist. Or do you mean that manage => unlink is some kind of links/buttons on google.com?

marcuslindblom picture marcuslindblom on 9 Aug 2019

No, you should login to your app via the external google login button from the login page, which should log you in as the user who has that google login already linked so you can unlink it

HaoK picture HaoK on 9 Aug 2019

You can also start with a clean database to verify that there isn't something else going on.

HaoK picture HaoK on 9 Aug 2019

Hm but the actual problem is that I can鈥檛 login. The exception I posted happen when I get redirected back to my app. Clean db, no accounts has been linked or created.

marcuslindblom picture marcuslindblom on 9 Aug 2019

I'm not sure what to tell you, I just tried this (albeit on latest preview 8 bits), but these are pretty much identical to the preview 7 bits you are trying: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins?view=aspnetcore-2.2

File new Web App -> Individual Auth, Add reference to Google auth, and configure it with your client info from google API console:

            services.AddAuthentication().AddGoogle(o =>
            {
                o.ClientId = "XXXXX.apps.googleusercontent.com";
                o.ClientSecret = "XYZYZYXYX";
            });

Ran the app, login via google button, which goes thru google login, comes back, you have to validate your email before it lets you continue, and also apply migrations, and then login via google again, which shows me logged in.

So maybe you are doing something slightly different in your flow?

HaoK picture HaoK on 9 Aug 2019

Ok, I see the problem now. I read the initial comment on this issue which suggested to use OpenIdConnect instead of Google because it was "broken". So I have been trying and trying with the wrong config. Thanks for pointing that out to me 馃檶

marcuslindblom picture marcuslindblom on 9 Aug 2019

OpenIdConnect should work too, but it can be harder to configure.

Tratcher picture Tratcher on 9 Aug 2019

I cannot see both options now
services.AddAuthentication().AddOpenIdConnect
services.AddAuthentication().AddGoogle

Using .net core 3 Preview version and MVC project

hemanth2 picture hemanth2 on 1 Sep 2019

According to #3755 they removed from Microsoft.AspNetCore.App, you have to Install Microsoft.AspNetCore.Authentication.OpenIdConnect

xsoheilalizadeh picture xsoheilalizadeh on 1 Sep 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

farhadibehnam picture farhadibehnam  路  3Comments
Kevenvz picture Kevenvz  路  3Comments
BrennanConroy picture BrennanConroy  路  3Comments
ipinak picture ipinak  路  3Comments
githubgitgit picture githubgitgit  路  3Comments