We have a web app that uses OAuth to sync user's gmail account asking for some credentials. Now since last week we are getting this message that "sign in with Google is temporarily disabled for app" but we haven't changed anything from our settings at all. Also we have everything approved and configured because it was working fine before that time.
You need to follow the process described [here][1] to request verification for your app.
[1] https://support.google.com/cloud/answer/7454865?hl=en
Also see https://gsuite-developers.googleblog.com/2018/06/new-oauth-protections-to-reduce-risk.html
Related
I have a Google Cloud App Engine app that functions correctly when either I allow unauthenticated AllUsers access or turn on IAM for controlling access in Identity Aware Proxy. However when I follow the instructions on this page https://cloud.google.com/iap/docs/cloud-run-sign-in to enable Cloud Run Hosted sign-in with external identities and attempt to access either the login page or the Google Cloud Run hosted sign-in page, I receive the following error in the browser.
"Could not fetch URI /computeMetadata/v1/instance/service-accounts/default/token?scopes=https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/identitytoolkit"
For context, the Google Cloud Run service hosting the user sign-in is set to allow all Unauthenticated. It should re-direct to the Google App Engine web app. I think this is related to permissions or redirects, but I am at a loss as to how to fix. Any thoughts? Thanks!
I attempted to fix by re-deploying the Cloud Run Service, switching IAP on and off, switching between IAM and external identities, but to no success.
Thanks #John Hanley, I discovered that one my compute engine service account was disabled for some reason within the project. Re-enabling solved the problem partially. I'll spend more time matrix out the permissions and re-directs to make sure they are aligned.
I originally thought I completely answered my own question and solved my problem. Unfortunately, I only solved one of the problems with my implementation of the external identities authentication method.
Description of the other problem:
I enabled email/password and Google as providers, but when I click on the the option to authenticate with Google, I receive the following text in the browser: "The requested action is invalid."
At the Console in Dev Tools I get the following error:
GET https://www.googleapis.com/identitytoolkit/v3/relyingparty/getProjectConfig?key=*mykey*&cb=1599165379363 403
The following url is displayed in the URL bar:
https://.firebaseapp.com/__/auth/handler?apiKey=mykey&appName=%5BDEFAULT%5D-firebaseui-temp&authType=signInViaRedirect&providerId=google.com&customParameters=%7B%22hl%22%3A%22en%22%7D&scopes=profile&redirectUrl=https%3A%2F%2Fiap-gcip-hosted-ui-app-engine-app-myserver-uc.a.run.app%2F%3FapiKey%3Dmykey**&v=7.16.0&fw=FirebaseUI-web
mykey and myserver were removed for this post and is not the actual values.
Email/password sign-in works, but not the Google sign-in. What am I missing here?
I'm working on a SAML SSO integration for our app using Google / G Suite. Our customers configure our SAML app in their company's G Suite admin settings. The integration works correctly in most cases:
Suppose you're not signed into a Google account yet. You initiate the SSO process. You're prompted to sign into your company Google account, and SSO works correctly.
Suppose you're already signed into your company Google account and your personal Google account. You initiate the SSO process. You see an account chooser. If you choose your company Google account, SSO works correctly.
However, SSO fails in this case:
Suppose you are only signed into your personal Google account. Google does not display the account chooser. Instead, you immediately get a a 403 error: "Error: app_not_configured_for_user."
This has led to a very confusing experience for our users. It's pretty common that you're currently only signed into one google account that's not your company google account. Furthermore, the error page is opaque -- it's not clear to a user what they did wrong.
Is there any way to always show the account chooser? For example, are there any parameters we can add to the /o/saml2/idp url or the SAML AuthnRequest? (E.g. we tried setting ForceAuthn and adding a <saml:Subject> block in the AuthnRequest, but it seems Google's SAML does not support either.)
Or is there a way for our app to get a callback on error, so we can show a more meaningful error message?
(I contacted G Suite support, and they said to ask our question on Stack Overflow instead. Appreciate your help here!)
Instead of redirecting to directly from your app to the Google IDP, you need to redirect to
https://accounts.google.com/accountchooser?continue={theredirectURL}
See
Google SAML app_not_configured_for_user / equivalent of prompt=select_account SAML
if you using a passport-saml
There is a fork that fixes this behavior.
Set in configuration googleAuth: true and then during authorization there will be a redirect to the google account selection page
I had this same issue. When I then added the G suite account to my Android device under Settings > Accounts and retried the login flow, I was properly prompted with the Account Chooser. Not the solution I was really looking for, but it did change the outcome.
I had the exact same problem when working with Keeper Password Manager. I solved it by erasing everything from ~/Library/Application Support/Keeper Password Manager/Cookies
I suggest you look for a similar folder in your app and do the same
I need google oauth for google+ login on my opencart store. My app is requesting the following scopes only and app is public.
https://googleapis.com/auth/plus.me
https://googleapis.com/auth/userinfo.profile
https://googleapis.com/auth/userinfo.email
These are not sensitive scopes and on my oauth consent screen I see the submit verification button is disabled and it says
Your changes don't require verification
Still customers see Unverified app screen (This app isn't verified)
I have also submitted oauth app verification form https://support.google.com/code/contact/oauth_app_verification . Its been more than a week not got any response from google.
Please suggest any way how to remove Unverified app screen for my customers?
Google will ignore your request for verification unless you have one or more sensitive scopes listed in the OAuth consent screen list of "Scopes for Google APIs".
e.g.
There are a bunch of steps for this so I made a video while I add a sensitive scope to an OAuth consent screen.
Here are the steps, written out:
First, be sure that all URIs associated with your project are hosted on HTTPS. This includes the Authorized Javascript URIs and Authorized Redirect URIs listed in each of the OAuth Credentials. Google won't approve any app that uses any insecure connections.
Next, confirm that your OAuth app has enabled access to the sensitive API (such as People or Contacts API).
Then, add the scope to your "OAuth consent screen".
Finally, click the enabled "Submit for verification" button at the bottom of the form.
You should not require app verification if you are only setting up 'Sign in with Google'. An app review is required if you request sensitive scopes. Google+ sign-in is deprecated, you should be using the branding-approved 'Sign in with Google' button: https://developers.google.com/identity/branding-guidelines
If you do use sensitive scopes, you should update the scopes section of the OAuth consent screen configuration to include all sensitive scopes you are requesting before the 'submit for verification' button becomes available. In order to add your sensitive scopes on the configuration page, you need to enable the APIs you would like your project to access. For example, enable the GMail APIs for your project by visiting the API library, then add the GMail scopes to your consent screen configuration, fill out additional information, submit for verification.
Please see the 'User Consent' section of https://support.google.com/cloud/answer/6158849?hl=en for more information.
Well, something is really off with my google account.
[x] All URLS HTTPS
[x] Sensitive scope not added
[x] App submitted for verification
[x] Got an email stating verification not required.
Now if I do the following events:
Open Incognito Browser
Click login with Google
Sign In using a general email id ( I used and email account from Gmail)
Here's the warning: This app isn't verified!!
If I tried doing this in normal browser where I am already signed in, this doesn't show up! This can be really bad for new users, it guarantees a high bounce rate!
can you guys give a try and see if this true.
Also, as an answer: I would suggest you to kindly check the app in incognito mode or in a fresh browser.
scope parameter in the URL that starts with https://accounts.google.com/o/oauth2/auth?https://accounts.google.com/o/oauth2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts.readonly[other params here]
We are integrating our app in the new Google Marketplace.
Our marketplace config in the developer console is ok.
Our oauth2/sso flow is ok (scopes match the ones setup in the console, auth params ok)
All users, when accessing our application through the Navigation bar, don't see any consent screen. All is perfect … except the following :
when an admin user is installing our application for his domain for the first time, he is presented with the domain consent screen displaying the scopes defined in our marketplace config, which is fine, he accepts and is presented with a button "Launch app". This link hit our server and a redirection is made to google auth in order to get the email and profile of that user. The redirection happens quickly that the admin is presented with yet another consent screen displaying the exact same scopes … which is bad.
If we wait 10 - 20 seconds before clicking the 'Launch app' button and after having accepted the scopes for the domain, the redirection to google auth is done and no consent screen is presented to the admin.
Are we missing something? Some sort of pooling technique with callback? "Sleeping"?
The same happens with other apps available on Google Apps Marketplace.
I installed several apps from Marketplace (Mavenlink, Lucidchart, etc), and they showed exactly the same result. I was prompted with consent screen immediately after installing them. A bit later, and I was let in without prompting.
It seems that the information on the installed app is not immediately propagated through Google system. There is a short delay between the time the administrator installs an app to his domain, and the time that app becomes available on his domain.
Most users wouldn't mind to wait a minute after the installation. Unfortunately, a reviewer at Google is not that forgiving. If he is quick enough to start your app immediately after the installation, your app will be caught asking for consent, for which it will be rejected from Marketplace. Too bad.
My application is requesting permission for TRANSACTION_DETAILS, using paypal-sdk-permissions (1.96.2) gem.
Everything works fine in sandbox but fails when going live:
#errorId=550006,
#domain="PLATFORM",
#subdomain="Application",
#severity="Error",
#category="Application",
#message="The application is not authorized for the user"
EDIT
It seems I was using an APP ID submitted from a different Paypal account. After fixing that I got:
#errorId=550001 #message="User is not allowed to perform this action"
I have submitted a new app with the corresponding permissions and the status is Approved Conditionally.
Usually how long does it take to get a response from Paypal?
After only a couple of hours my app got approved.
Now everything works as expected.