Changes to Google OAuth 2.0 and updates in Google middleware for 3.0.0 RC release

Changes to Google OAuth 2.0 and updates in Google middleware for 3.0.0 RC release

Rate This
  • Comments 12

This article explains the recent changes made to Google OpenID and OAuth 2.0 along with the corresponding updates to the 3.0.0 RC release of Google OAuth  middleware.

Here we will first look at the experience of using Google OAuth middleware in an MVC application with the OWIN 2.1.0 release bits. We will then explain the current changes to Google OAuth API and implications on applications that would continue to use the 2.1.0 version of the packages. Finally we will look at the changes made in the recent 3.0.0 RC release of Google middleware.

Deprecated Google OpenID 2.0

In the Visual Studio 2013 RTM and Update 1 releases, the MVC web applications template using Individual Authentication used Google OpenID by default. The below code (found in Startup.Auth class) registered the middleware


As of April 20, 2014 the Open ID  was deprecated by Google and hence using Google OpenID for external login would throw an error as below


Google OAuth in OWIN 2.1.0 middleware

Applications can solve the above issue by using the Google OAuth 2.0 in the application. This is done by navigating to Google Developer Console to create a new project under users Google account and use the keys. For more detailed information on how to create an application and get the keys check this link.

Once the keys are obtained the they are used to register the middleware in the Startup.Auth as below


app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()
 ClientId = "",
ClientSecret = "XXXXXXXXXX"

Set the callback url in the application created in Google console to {app-url}/siginin-google instead of the default


This should allow applications using Google middleware version 2.1.0 to use Google as an external authentication provider. For a complete sample, see MVC 5 App with Facebook, Twitter, LinkedIn and Google OAuth2 Sign-on.

Changes to Google OAuth 2.0 and updates to Google middleware

On September 1, 2014 Google will deprecate the earlier version of OAuth 2.0 and will no longer support it. To accommodate these changes, the recent 3.0.0 RC release of Google middleware has been updated. For more information on the changes to the OAuth 2.0 login from Google, please refer this link.

Once the current application is updated to the 3.0.0. RC bits, using Google as an external authentication provider may fail. Below is the screen shot of the Fiddler trace with the failure message for a default MVC application:


The end point for the OAuth has been changed to and needs changes to the application created on the developer console.

To make these change, go to Google Console where the application is created. Navigate to the ‘APIs’ tab under the ‘APIS & AUTH’ section and you can see that for the app the Google+ API are not enabled by default.


Click on ‘OFF’ and read and accept the terms to enable the Google+ API. Now run the application and try to login using Google. Logging in should be a success.


This article showed the previous experience of using Google as an external login provider and the upcoming changes in Google OAuth 2.0 and the corresponding updates to Google middleware in the 3.0 RC release. These are some of the updates that are included in the new 3.0.0 RC release of other middlewares as well. Please provider feedback on issues in this article or on codeplex ( You can also follow me on Twitter (@suhasbjoshi).

Thanks to Praburaj, Chris and Rick for reviewing the article

Leave a Comment
  • Please add 5 and 5 and type the answer here:
  • Post
  • Hi Suhas Joshi, thanks for this post. I'm struggeling for days now to get a new VS2013 Webforms application working with Google external authentication, and this article helped me a lot.

    However.. ;-) .. I'm building a webforms application, not MVC, and I  have no "Startup.Auth". I can create on but I think I should use App_Start\AuthConfig.cs. This file does not has 'app.UseGoogleAuthentication', but 'OpenAuth.AuthenticationClients.AddGoogle'.

    So this what I tried:

    I updated Nu-Get package Microsoft.Owin.Security.Google to 3.00 RC 2

    I changed OpenAuth.AuthenticationClients.AddGoogle() in AuthConfig.cs  to

    OpenAuth.AuthenticationClients.AddGoogle(new GoogleOAuth2AuthenticationOptions()


                   ClientId = "",

                   ClientSecret = "xxxxxxxxxxxxx"


    When I start this webapplication it gives a NullReferenceException at Microsoft.AspNet.Membership.OpenAuth.<>c__DisplayClass3.<Add>b__1(PropertyInfo property)

    Can you please help me out on this?

  • @Robert: You are referring to the OpenAuth packages in web forms application which is different from the Katana OAuth middlewares. If you don't have Startup class in your application then you might not have Owin pipeline registered for your application. Hence this blog post might not be applicable to you. You can use Stackoverflow or ASP.NET forums to get your question answered

  • Hi,

    this is a realease candidate right?

    When will the final version be ready?


  • This article didn't show up when I searched for OWIN Google oAuth2 error=access_denied because the error message is only in a screenshot. Just wanted ad that message to the text so it may be found via Google :)

    By the way, thanks for posting this, I had spent about three hours banging my head against a wall before I found this post by coincidence and it solved it instantly :)

  • Thank you very much for this.

    I will now write my own blog post for this, as the error should be emphasized somehow.


  • Hi,

    Regarding OpenId 2.0, you miss the fact that we need to migrate the OpenId 2.0 identifier to OpenId Connect. And getting the old OpenId 2.0 identifier is part of the OpenId Connect workflow (adding a openid.realm parameter to the auth request and reading the openid identifier in the token_id). The current implementation do not offer a proper way of doing it.

    Please find details here : and

  • Google documentation is so inconsistent with naming the oauth/openid protocols they support. Unfortunately while very helpful, this article also adds to the confusion in using names that do not necessarily align with google's documentation.

    Can you please confirm the following:

    - Google sign in that shipped in the MVC web applications template using Individual Authentication was based on Google OpenID. The Google middleware that supported OpenID was version 2.1 and earlier. Google deprecated OpenID in April,, but will shut it down on April 20, 2015. Until then you can continue using it as long as you have previously registered the domain, as you can't register new domains anymore.

    - The suggestion is to go from OpenID to Google OAuth 2.0, however AFAIK Google has two versions of OAuth 2.0 for login at this point:

    1. OAuth 2.0 for login (early version)

    2. OAuth 2.0 for login (OpenID Connect)

    OAuth 2.0 for login (early version) was deprecated in September 1, 2014, but they keep it available for backward compatibility. As of now, no shut down date has been published.

    - Going forward Google wants to support OAuth 2.0 for login (OpenID Connect)

    The updates you're descibing are to go from OpenID to OAuth 2 for login (early version) or straight to OAuth 2 for login (OpenID Connect)?

    Your clarification will be much appreciated.

  • Just FYI, if you don't want to have the endpoint of /signin-google as shown in the post, you can change the redirect url value in GoogleOAuth2AuthenticationOptions

    app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()


       CallbackPath = new PathString("/auth")


  • Unfortunately, these instructions do not seem to work all on their own.  The default ASP.NET MVC 5 template uses /Account/ExternalLoginCallback as the expected URI, not /signin-google.

    Thus, you need to apply 1) A RouteConfig for signin-google to a controller action 2) A permanent redirect to the ExternalLoginCallback from there.

    I've posted a GitHub repository with a quick-fix, probably not suited for production distribution (ex: virtual paths wouldn't be supported because the permanent redirect uses a root path).

    Here's the URL:

  • Nice way to autentication users.

  • In the article you refer to the URL as `{app-url}/siginin-google`.  You probably want to change that to `{app-url}/signin-google`.  Note the extra i.

  • I have a gmail account and am having telecommunication issues thanks to TELSRA directly.

    so my usual number 0477 675 510 is unable to receive confirmation security numbers for me to reiterate, ensuring a secure email account is assured. Please contact me via telephone number to rectify this issue asap on the somewhat accessible number 0484 363 096.

    Thanks for your time and I hope to hear from you soon.

    Melissa O'Neil

    (currently in use Telstra) 0484 363 096

    (boost forwarding voice calls not txt's unfortunately) 0477 675 510

    p.s. you know I may temporarily set up a new gmail account until the seemingly current phone problem can is rectified. */

Page 1 of 1 (12 items)