[keycloak-user] Google Identity and Google+ API

[James Campbell]

Having looked a bit more closely at this, it appears that currently the
GoogleIdentityProvider
(keycloak\services\src\main\java\org\keycloak\social\google\GoogleIdentityProvider.java)
has the Google+ Profile URL hard-coded into it.

There are at least four alternatives available, according to the Google
OAuth2.0 Playground and documentation.

Three provide very similar data, and rely on the same base authorization as
the oauth2 series (i.e. they do not require specifically enabling the
People API or Google+ API)
  - https://www.googleapis.com/userinfo/v2/me
  - https://www.googleapis.com/oauth2/v2/userinfo
  - https://www.googleapis.com/oauth2/v3/userinfo (also exists but does not
seem as well documented)

The fourth is an endpoint on the PeopleAPI that provides much fuller
profile information:
  - https://people.googleapis.com/v1/people/me (which *would* require
enabling the People API for the associated credentials)

Given those alternatives, and the fact that Google documentation says
they'll be shutting down the Google+ APIs as early as January 2019, it
seems prudent to simply change to one of the oauth-only endpoints, such as
https://www.googleapis.com/oauth2/v2/userinfo

Would that simple change be sufficient, or would additional default mapping
changes be required?

James

On Fri, Dec 21, 2018 at 3:58 PM James Campbell <jpcampb2 at ncsu.edu> wrote:

> Hi all--
>
> I'm just getting started with keycloak, and have set up the google
> identity provider. I notice that the google identity provider uses the
> Google+ API for profile information, which seems unnecessary, but I do not
> see a way to turn it off (maybe limit the scopes requested)?
>
> Given the now-imminent deprecation of the Google+ APIs, is there a way to
> ensure I'm not using the Google+ API?
>
> James
>


-- 
James Campbell <jpcampb2 at ncsu.edu>
Government Researcher
(919) 987-3378
Laboratory for Analytic Sciences <https://ncsu-las.org/>