[Reminder] Migrate your impacted OAuth out-of-band flow to an alternative method before Oct. 3, 2022

13 views
Skip to first unread message

Google Developers

unread,
Sep 27, 2022, 5:25:37 PM9/27/22
to page...@googlegroups.com
Google logo
OAuth out-of-band flow will be blocked for your production OAuth clients.
Our records indicate you have OAuth clients that used the OAuth OOB flow in the past.

Hello Google OAuth Developer,

We're writing to remind you that the OAuth out-of-band (OOB) flow will be deprecated on October 3, 2022, to protect your users from phishing and app impersonation attacks.

What do I need to know?

As we notified you in May and August 2022, any affected authorization endpoint requests will be blocked with an invalid_request error after October 3, 2022.

If you have already migrated your app(s) to an alternative OAuth method, no further action is required. Please note that if your app(s) is natively installed you may have to request your users to update the app to the newer version to stop using the OOB method.

Below are key dates for compliance:

  • September 5, 2022: A user-facing warning message will be displayed to non-compliant OAuth requests.
  • October 3, 2022: The OOB flow will be blocked for all clients and users will see the error page.

Please reference our previous email with the subject line containing: “Migrate your OAuth out-of-band flow to an alternative method before October 3, 2022,” for more details.

What do I need to do?

  • Please see the Making Google OAuth interactions safer by using more secure OAuth flows blog post to learn about the deprecation
  • Follow the Out-of-band (OOB) Migration Guide to migrate your app to an alternative method.
  • You may acknowledge the upcoming deadline and suppress a possible user-facing warning message by following instructions in our blog post. All non-compliant authorization requests will be blocked with an invalid_request error when loading Google's OAuth 2.0 authorization endpoint after October 3, 2022.
  • If necessary, you may request a one-time deprecation enforcement extension for each listed OAuth client ID until January 31, 2023. For clarity, the enforcement for the OOB flow deprecation will be enforced on February 1, 2023 with no exceptions or extensions. If you have already requested an extension please ignore this instruction.

The following OAuth client(s) will be blocked.

OAuth client list:

Thanks for choosing Google OAuth.

— The Google OAuth Developer Team

© 2022 Google LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043

You have received this mandatory service announcement to update you about important changes to Google services you use.

Reply all
Reply to author
Forward
0 new messages