Does Google's UserInfo API offer any guarantees?

Question

We implemented Google OAuth for our website a few months ago. So far two users (of ~100) have had incomplete userinfo profiles. We make a call to 'https://www.googleapis.com/oauth2/v1/userinfo?', with a valid token and the response json contains only, [locale, verified_email, email, id].

The docs (https://developers.google.com/accounts/docs/OAuth2Login#userinfocall) are not explicit, but the way I interpret them,

The response should ALWAYS include: [id, email, verified_email, name, given_name, family_name, timezone, gender] and SOMETIMES include: [picture, locale]

Does anyone know what kind of guarantee comes with the UserInfo API? Should I reject incomplete profiles as invalid? Is there any other explanation for why the profile would be incomplete?

UPDATE 3/6/14
I was able to replicate the problem. We send the user off to google requesting, two scopes:

https://www.googleapis.com/auth/userinfo.profile
and
https://www.googleapis.com/auth/userinfo.email

So far as I can tell google does not allow users to cherry pick which scopes they allow. It's all or nothing. However, I was able to remove the userinfo.profile scope from the URL and reload the page. This caused me to be send back with a valid token, but not the correct scope. I'll need to hit the tokeninfo endpoint and make sure the correct scope has been authorized.

Answer 1

Try v3 of the userinfo API, it's been returning the given_name pretty reliably for me:

https://www.googleapis.com/oauth2/v3/userinfo

Answer 2

I have had the same issue. For some profile, the "userinfo" scope does not return given_name and family_name. Until I find why it is so, I am using blank strings for these two when no values are returned. I cannot assume that Google let's people create Google accounts without providing some values for first name and last name. Google API are buggy, slow and confusing. So I would rather assume that this is API issue.

Answer 3

NB: This is what I think:

I've have also been working with OAuth for a bit of time now, and have encountered this issue in the number of occasions with Facebook profiles for instance. To be honest, I don't see why the request should return incomplete data (assuming the scope is correct), other than that the actual profile from the provider is incomplete (although it doesn't make sense for you to have this [locale, verified_email, email, id] and no [firstName, lastName]). For example, some profiles don't have a profile picture e.t.c.

All in all, I would say: It is not guaranteed (and this is not just specific to Google). I have written an OAuth identity server before, and OAuth does nothing (unless I missed it) to enforce the type of data you must expose through an API. You should check the data before you store it.

And the rejecting profile part, I think this should be a criteria you set on your application to say that you don't accept profiles with no firstName for example.

Answer 4

Are you using OpenID as well? I strongly suspect those users do not actually have valid OAuth tokens for UserInfo but rather you are getting the data corresponding to a weaker OAuth permission. Ideally, ask those users what data for your website appears in their Google accounts security page, and compare that with what is in that of a functional user e.g. yourself.

Try revoking your tokens and hitting the endpoint anyway and see what result you get.