Millions of developers rely on Google’s identity platform for user authentication and the ability to authorize access to hundreds of APIs. Underpinning the platform is one of the world’s largest implementations of the OAuth 2.0 protocol and related OpenID Connect standard, which provide a seamless, safe, and reliable way for developers to integrate with Google. We’re excited to share some updates that will make the platform even more secure and easy to use.
Developers that use Sign in with Google for authentication or to obtain user authorization to call Google APIs need to register their apps and websites to create client credentials. For developers that use the Google Cloud Console, OAuth configuration pages previously lived in the APIs & Services section. Now, these pages have their own dedicated navigation section called Google Auth Platform. As part of this change, we’ve made it easier to register new projects, reduced the time it takes to update app configurations, and added more helpful guidance for developers. Stay tuned for more improvements in the coming months, including a better onboarding wizard, simplified OAuth scope management, and changes to make app verification faster and more transparent.
For developers who use OAuth capabilities through other consoles like Firebase or Apps Script, your experience on those products remains unchanged.
Some OAuth clients are required to use a “secret” when making authentication and authorization requests. The client secret is like a password for a website or application, so it’s critical to protect these strings to ensure the security and privacy of user accounts and data.
Historically, developers have been able to view and download their own client secrets in the Google Cloud Console, Firebase Console, and other places across Google developer products. Starting in June, we’ll start masking OAuth secrets in the client management pages of the Google Cloud Console. As an aid to help identify them, developer consoles will show the last few characters.
Developers will need to download their OAuth client secrets when they’re created and manage them in a secure way. Most developers already do this using Google Cloud Platform’s Secret Manager or similar tools. Once the creation screen is closed, the client secret will not be shown again.
As a reminder, OAuth client secrets that allow access to user data or other production systems should never be checked into version control systems or shared widely on the internet. Secrets should be rotated periodically and changed immediately in the case of a leak.
Starting in June, OAuth clients inactive for 6 months will be automatically deleted to better protect against credential theft and misuse. The 6-month period will begin after there are no more token exchanges. Developers will be notified of deletion due to inactivity, and can restore clients up to 30 days after deletion.
To ensure that you receive these notifications and others related to your app, review your contact information settings.
With these improvements, and more to come later this year, we’re making your experience simpler and safer, so you can spend more time building helpful apps and sites for your users.
