[Action Required] Migrate your impacted OAuth out-of-band flow to an alternative method before Oct. 3, 2022

23 views
Skip to first unread message

Google Developers

unread,
Aug 23, 2022, 3:16:05 PMAug 23
to page...@googlegroups.com
Google logo
OAuth out-of-band flow will be blocked for your production OAuth clients.
Our records indicate you have OAuth clients that used the OAuth OOB flow in the past.

Hello Google OAuth Developer,

We're writing to remind you that the OAuth out-of-band (OOB) flow will be deprecated on October 3, 2022, to protect your users from phishing and app impersonation attacks.

What do I need to know?

As we notified you in the first week of May 2022, any affected authorization endpoint requests will be blocked with an invalid_request error after October 3, 2022. Apps using OOB in testing mode will not be affected. However, we strongly recommend migrating them to safer methods as these apps will be immediately blocked when switching to in production status.

Below are key dates for compliance:

  • September 5, 2022: A user-facing warning message will be displayed to non-compliant OAuth requests.
  • October 3, 2022: The OOB flow will be blocked for all clients and users will see the error page.

Please reference our previous email with the subject line containing: “Migrate your OAuth out-of-band flow to an alternative method before Oct. 3, 2022,” for more details.

What do I need to do?

  • Please see the Making Google OAuth interactions safer by using more secure OAuth flows blog post to learn about the deprecation
  • Follow the Out-of-band (OOB) Migration Guide to migrate your app to an alternative method.
  • You may acknowledge the upcoming deadline and suppress a possible user-facing warning message by following instructions in our blog post. All non-compliant authorization requests will be blocked with an invalid_request error when loading Google's OAuth 2.0 authorization endpoint after October 3, 2022.
  • If necessary, you may request a one-time deprecation enforcement extension for each listed OAuth client ID until January 31, 2023. For clarity, the enforcement for the OOB flow deprecation will be enforced on February 1, 2023 with no exceptions or extensions.

Refer to the sample of OAuth clients below, which will be blocked.

Sample OAuth client list:

Thanks for choosing Google OAuth.

— The Google OAuth Developer Team

Was this information helpful?
Visit Google Cloud on Twitter     Visit Google Cloud on Twitter     Visit Google Cloud on Twitter

© 2022 Google LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043

You have received this mandatory service announcement to update you about important changes to Google services you use.

manu

unread,
Aug 23, 2022, 3:17:03 PMAug 23
to Page Notes - Chrome Extension
For what it's worth, I've already requested extension for this, but I've not heard back from Google yet. As far as I can tell, it will not break existing setups.
Reply all
Reply to author
Forward
0 new messages