Google has announced they are migrating their authentication services to consolidate the way the APIs work and supposedly make them "simpler". We want to make sure our app will work but are not really sure if the steps we've taken are enough.
We have a Java server app which uses google-oauth-client and its AuthorizationCodeFlow to authorize users. We have a client ID for web application created in Google Developers Console. We have defined a redirect URI there as well.
We use the key and secret from developers console to create GoogleAuthorizationCodeFlow. When creating an authorization URL from that object we provide a redirect url defined in the developers console.
We have changed the scope "https://www.googleapis.com/auth/userinfo.email" to "email" (we use it to call plus.people().get("me") now instead of oauth2.userinfo().v2().me().get()). In the end the scopes we provide when creating GoogleAuthorizationCodeFlow are "email", "openid" and "https://www.googleapis.com/auth/calendar".
We use the obtained token to manipulate user's calendar and to find out user's email.
We feel the documentation on how the whole authorization works and the migration guides are a little bit too distributed and it is hard to understand the fundamentals behind this whole process.
When developing our app we have made the best effort to fully understand OAuth 2.0 and how it works with Google APIs. We have read documentation, participated in OAuth 2.0 workshop and followed Google's guides. We thought we have a fairly good understanding of what's happening behind the scenes. With this migration guide however, our confusion arised. Are we actually using OAuth 2.0 login? Are we using OpenID 2.0 (since we use opeind and email scope s to receive user's email along with the token)? Are we using OpenID+OAuth hybrid? All of those options have separate subguides on how to migrate and this doesn't help with confusion. So the question we have is: will this setup work after the migration process is over? Do we misunderstand something?
We experienced no trouble with oauth after the switchver date which means the steps we've taken (those enumarated in our question) were enough and the services work fine.