I have a server side application that requires that a user sign in using his browser and then the server continues to use that token to do stuff on its own.
I'm using the flow described here, pretty much verbatim, but with a few additional scopes: https://developers.google.com/identity/sign-in/web/server-side-flow. In this flow, Google takes over through the login process. I create an auth2 object with gapi.auth2.init(), then I call .grantOfflineAccess() on that object, and later I get a callback with a token if succcessful. I don't know if this is the latest/greatest way to do it, but it works fine.
Today, I received an email from Google warning me that I am using the plus.me scope and that is deprecated and will stop working in March 2019.
Thing is, I'm not requesting that scope anywhere in my code and my app doesn't use Google Plus. I only request:
https://www.googleapis.com/auth/calendar.readonly
https://www.googleapis.com/auth/gmail.compose
profile
email
It looks like the insertion of the request for plus.me and a few other scopes is coming from Google's code, something that comes from https://apis.google.com/js/client:platform.js, or something that Google downloads later on as part of the login process -- that's the beauty of this process: Google does fancy stuff I don't need to know about.
But ultimately, the token I get back from Google includes:
scope: "openid email profile https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/gmail.compose https://www.googleapis.com/auth/calendar.readonly https://www.googleapis.com/auth/userinfo.email"
There is definitely stuff there I didn't ask for, including the plus.me which is I guess what I'm concerned about. How do I control or stop this? Or maybe I don't need to do anything and Google will take care of it themselves before they shutdown the plus.me scope?
You are right, your scope request is fine. plus.me is implied from your profile scope request. Unfortunately, the email notification went out to a number of developers in this situation. If you've done a code search and all we notified you about was plus.me, you should be fine. Just make sure you're not using any 3P libs that may also have this dependency.