Last night a site that has been working fine for about six months started getting a 403 error when using Google OAuth. The authentication code hasn't changed, and I don't see any notes that Google OAuth suddenly changed either. I've tried re-issuing the client ID (including client secret) but that didn't fix it.
Details:
Full error: "Access Not Configured. Please use Google Developers Console to activate the API for your project." comes after this (scrubbed) request:
https://accounts.google.com/o/oauth2/auth?response_type=code&redirect_uri=https%3A%2F%2Fx.y.com%2Fauth%2Fgoogle%2Fcallback&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&client_id=12345-abcdefg.apps.googleusercontent.com
The response header does contain this (scrubbed):
Location: https://x.y.com/auth/google/callback?code=4/MF-V...
which contains the code similar to what I see in the API playground.
Server setup: node.js running express with passport/passport-google-oauth.
I don't know what API needs to be enabled -- I sort of think this is a miss-sense error. None of the APIs in the "APIs & auth" section of the Developers Console appear to be relevant. I'm configuring OAuth under "APIs & auth > Credentials." This is not youtube or Google+ authentication.
I don't think this is the cause of your problem but you should be aware of it anyway. Using OAuth 2.0 for Login (early version)
Important: Google has deprecated the early implementation of OAuth 2.0
for login that is described in this document and will no longer
support it, after a migration period. If your app uses OAuth 2.0 login
(early version), you should either switch to Google+ Sign-In or update
your existing userinfo endpoints and scopes by the deadline given in
the migration timetable. For instructions, see Migrate or update OAuth
2.0 login.
Migration timetable says on Sept. 1, 2014 its gone: https://developers.google.com/+/api/auth-migration#timetable
We are having the same issues. I don't know if it is luck - or what, but a few minutes ago i finally started just enabling API's to see if it would help. I enabled Google+ Domains API, Google+ Hangouts API, Admin SDK. After not being about to login all day (same error that you were getting). I have logged in twice now.
Related
The context:
I'm trying to develop a desktop app with ElectronJS which needs access to Google APIs. As such, I want my users to be able to connect to their Google account via OAuth2.
As I use Electron, I have no safe way to store a "client-secret" and must use the "mobile app" method.
The problem:
Google keeps rejecting my redirect_uri:
The doc I followed:
The official npm "google-auth-library" package mentions the following regarding OAuth authentication for Electron apps ("OAuth2 with Installed Apps (Electron)" section) :
If you're authenticating with OAuth2 from an installed application (like Electron), you may not want to embed your client_secret inside of the application sources. To work around this restriction, you can choose the iOS application type when creating your OAuth2 credentials in the Google Developers console
As doing so gave me the previously mentionned Error 400, I looked into Google Identity documentation and saw this regarding localhost redirection:
Note that support for the loopback IP address redirect option on mobile apps is DEPRECATED.
My question:
At this point, I suspect that this is the reason Google is responding Error 400 to my requests (but I admit it could be my fault. I just don't understand what I do wrong as I feel like I follow the documentation strictly.)
If so, what are the possible ways to solve the issue ? Knowing that I have strictly 0 budget for this project and so I cannot afford to redirect to a domain I would buy or afford a server acting as proxy between my app and Google APIs.
(The code, if useful)
I use the "complete OAuth2 example" from google-auth-library except I changed the OAuth2Client constructor call to this, following the doc's recommandations:
const oAuth2Client = new OAuth2Client({
clientId: "<the clientID of my project from Google API Console>",
redirectUri: "http://127.0.0.1:3000"
})
In despair, I've tried a whole lot of different URL formats, but nothing works.
Thanks in advance for your help.
OAUTH BEHAVIOUR
An OpenID Connect desktop app uses PKCE without a client secret. According to RFC8252 it then receives the login response on either a loopback URL or via a private URI scheme notification.
The loopback option is fine for a desktop app but should not be used for a mobile app. Conversely, claimed HTTPS redirect URLs work for mobile apps but not desktop apps.
TROUBLESHOOTING YOUR PROBLEM
It is not clear whether your problem is caused by using a loopback URL or something else. To troubleshoot, you can use a couple of demo Electron apps of mine:
Loopback example
Private URI Scheme example
In both cases, edit the desktop.config.json file in the root folder. Replace my AWS Cognito values with your Google values. Then run npm start. See if that gets you any further, and post any follow up questions.
I am getting an Authorization Error from OAuth 2.0 Playground when trying to Authorize APIs. I have checked the permissions on the app multiple times (as I am the OWNER), I have fixed security issues(google asking questions), tried multiple browsers and multiple email accounts(under new projects). Below is the error message:
Error 403: access_denied
The developer hasn’t given you access to this app. It’s currently being tested and it hasn’t been verified by Google. If you think you should have access, contact the developer (recipe.tracker.app#gmail.com).
Learn more
Request Details
access_type=offline
response_type=code
redirect_uri=https://developers.google.com/oauthplayground
prompt=consent
client_id=765247627523-mhvqb7sc2or6rittk8dp0ti7b1ba8eel.apps.googleusercontent.com
scope=https://mail.google.com
Daniyal dehleh's original answer that solved my problem
Solution to my OAuth 2.0 Playground error:
Go to your developer console.
Go to OAuth consent screen.
Go to +Add users, under test users.
Add the users for the test (even the owner email address if not working without it)
I had the same issue.
Solution for me was to
https://www.google.com/settings/security/lesssecureapps Enable less secure apps
https://accounts.google.com/b/0/displayunlockcaptcha Enable this functionality
add the Email to Test users while app is in development mode
enter image description here
I'm new to the concept of maintaining user accounts in a website. I read from this Google developers page that Google provides an authentication and an authorization service. I'm only interested in maintaining accounts on my website that users can log into using their Google account username and password. I have an Express.js server.
I've spent hours reading about this online and stumbled upon one thing: the passport-google-oauth module can be used to do this. But I was unable to find how to get this working with the latest version of Express. Please help.
I would also like to know how to create a project on the Google Developers Console so that the users do not need Google+ accounts to use oauth2 (to get the Client id and secret).
I have to build an web-app for Google Apps market place where my app would enable Google Apps user to access and backup their Google Apps email to my server.
While I have a good knowledge with PHP and etc, with no prior knowledge to Google Apps development, I have been reading developers.google.com documentation since last couple of days and everything seems to start confusion with each-other now with SAML, Oauth2, OpenId, SSO etc, and Google Apps Mail and Gmail itself. So far, I have done helloworld app from the documentation that accesses the calendar and uses SSO for it.
I wish if you could point me to the right direction about how I should proceed to accessing the mail of the Google Apps user.
Since you wish to use the Google Apps Marketplace, you'll want to use 2-legged OAuth 1.0 with your application. OAuth 1.0 is officially deprecated but it's still the only supported authentication method to Google Accounts for the Marketplace.
Instructions for authenticating to Gmail IMAP via 2-legged OAuth 1.0 are available at:
https://developers.google.com/gmail/oauth_protocol
Seems like you are in the right place already - if you are going through the main developers.google.com documentation, that's where it should be.
I have had a look through their documentation, and found this though: Mail PHP API Overview
A quote from the above link/documentation:
App Engine applications can send email messages on behalf of the app's
administrators, and on behalf of users with Google Accounts. Apps can
receive email at various addresses. Apps send messages using the Mail
service and receive messages in the form of HTTP requests initiated by
App Engine and posted to the app.
More information:
Getting Started - Introduction - Google App Engine
Tutorial - Hello, World! - Google App Engine
Installing the PHP SDK - Google App Engine
EDIT
As I mentioned in the comments below, after further searching, I found this documentation for Google Data Apps APIs which should be helpful (the page currently 404s, but I've sent off a message to Google, so hopefully it should be fixed soon).
There is also a depreciated version of OAuth 1.0 that you could use to authenticate Gmail with IMAP/SMTP, using standard "three-legged" or non-standard "two-legged" OAuth.
I have a website which uses Azure ACS for federated authentication, which published in the cloud. Once I logged off from google provider as one gmail user and tried to loggin with other gmail credentials, the website is not providing me an option to login, it is directly accessing the previous gmail credentials and redirecting me to the gmail home page.How to solve this issue?
You have to also log-off from your application. Signing out from Google will only affect if you are being redirected for log-in to Google again.
But once authenticated with Google, you now have a new session in your own web site. And will be logged-in in that very our own website until (a) your session expires or (b) you explicitly sign out.
When using WIF/ACS, to explicitly sign out of a web application you need to execute following method:
var wsFedModule = FederatedAuthentication.WSFederationAuthenticationModule;
wsFedModule.SignOut();
You can read more about FederatedAuthentication here and the specific SingOut method here.
Please pay attention to the references - they are all from .NET Framework 4.5 and in System.IdentityModel.Services assembly, version 4.0.0.0! I strongly advice to use that framework version and assemblies, as opposite to using the .NET Framework 3.5 (4.0) and the WIF assembly Microsoft.IdentityModel.