When I log in with an account which does not belong to the expected domain, this message is shown (which is correct).
I think this message is kind of ugly and not understandable for a non-developer person. Is there a way to modify this message in the Google Cloud Console or inside the OAuth code? I would like to display for example:
The email you used does not belong to the happy.com domain.
I fount this Feature Request In the Public Issue Tracker, and there they suggest to follow the steps of Customize the rejected-app message. Basically it mentions:
Your current account, user#domain.com, doesn't have permission to do these steps. To continue, switch to an administrator account. This will open the Google Admin console.
Switch to administrator account now or Learn more
From the Admin console Home page, go to "" and then Security and then API controls.
Under App access control, go to the Settings section.
Type your custom text in the box under the following message: Show this message if a user tries to use an app that can’t access restricted Google services.
Click SAVE.
If this doesn't make it, I would recommend you to comment on that FR in which they mentioned:
I have filed this feature request internally.
You might also want to ‘star’ the FR to ensure that you receive updates about it. You can also adjust notification settings by clicking the gear icon in the top right corner and selecting settings.
Related
I'm writing a Playwright test that starts with a Google Auth0 login. After I fill my test user and password in the UI (google login), in Firefox and Webkit the authentication passes successfully, while, on Chromium, I'm getting the Verify it's you message (with a "send sms" message).
The account does not have 2 steps authentication.
When it happened locally, I opened the browser in headful mode, and after few clicks (which I assume "told" the browser that I'm a real user) the problem disappeared (I can now run my tests in headless mode locally). But, it still happens on CI (GitHub)
I run the test with chromium flags: --disable-dev-shm-usage and --disable-web-security.
I couldn't find any data about it anywhere...
When Google determines that a user is logging in from an unknown device or a new location, they may prompt the user with an additional login challenge.
The login challenge that the user receives depends on the information that associated with the account.
Does the prompt say "Enter a phone number to get a text message" or something else like "This device isn't recognized..."
If the former I believe you can circumvent this extra prompt by having a phone number linked to the Google account in question. If the latter I believe the prompt is once per user per device.
My understanding it is basically Google trying to get a valid phone number for the account (to prevent spam etc).
-- Edit
The only other thing I can think of is that you can temporarily turn off the verify-it's-you challenge, for 10 mins, but only if the account is a member of a Google Workspace or Cloud Identity service. I am not sure this is possible for an unmanaged account - or how useful it would be. The other issue is that for "free services" Google doesn't really offer any kind of support.
Anyhow, you might try "Temporarily turn off login challenges for a user" -
https://support.google.com/a/answer/12077697
There is also so good information on this verify-it's-you challenge here.
https://workspaceupdates.googleblog.com/2018/04/more-secure-sign-in-chrome.html
It has some notes on disabling the challenge per organization via response headers, but again this is for an organization and managed accounts.
If you wish to disable the new screen for your organization, you can
use the X-GoogApps-AllowedDomains HTTP header to identify specific
domains whose users can access Google services. Users in those domains
won’t see this additional screen, as we assume those accounts are
trusted by your users. This header can be set in Chrome via the
AllowedDomainsForApps group policy.
I am integrating Box.com with my application. My flow is when the employee login for the very first time, he will be presented with Box Page in an frame (Please note I am not using Box Embed Widgt as such).
After entering the valid username and password in box page, then user wil be taken to another page, where he can select "access to box" or "Deny Access".
Now my issue is when I click on Deny Access nothing happens, I get a blank screen. When debug it reaches my application back and but nothing happens.
Could you please guide me.
Thanks
If the user clicks deny, then Box will call your redirect URI (on your server) with
You will receive a GET request at
https://www.yourServer.com/someendpoint?error=access_denied&error_description=The+user+denied+access+to+your+application
You will need to handle that response, and know that the user decided they did not want to use your application.
You do get a notification of the denial via the page registered with Box.
When you register your application with Box you provide a page (your page) that will be called when the oAuth completes.
This is explained in this tutorial: http://developers.box.com/oauth/
Look particularly at this section:
Authorization Code: The authorization code is only valid for 30 seconds.
However, if the user clicked Deny, you will receive a request with an error and error_description parameter, such as:
GET https://www.sean.com/rose?error=access_denied&error_description=The+user+denied+access+to+your+application
I am trying to authenticate using OAuth2 with Google Maps Coordinate but I am having an issue when specifying the scope that I want the Auth tokens to be valid for. The URL I am using to request an access code is in this format:
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id={client id}&redirect_uri={App URL}&approval_prompt=force&scope=https://www.googleapis.com/auth/coordinate
The issue I am having is that the consent screen just says "This app would like to: Have offline access". It does not mention granting permissions for interacting with Google Maps Coordinate. I am starting to think this a bug on Google's side, because if i try to get a read only token by adding .readonly to the end of the url, the consent screen shows "This app would like to: View your Google Coordinate Jobs". Similarly, if I replace coordinate with docs or drive, I get the correct consent screen where the app requests permissions to access and modify Google Drive content.
If I get a token using the coordinate scope with the "Have offline access" permissions and then use that token to try and make requests to coordinate, I just get "Insufficient Permissions" errors.
The issue only seems to be happening when trying to get an access code for Maps Coordinate. Has anyone else experienced this issue?
Thanks
This is not a bug, this is just a strange behaviour (and maybe a bug). (so it may be not 100% correct, what I'm telling)
You use in your request url approval_prompt=force, that means, that the user will always be asked to give permission. What follows is, that you get a refresh token (that doesn't expires, unless the user removes explicitly the permission for your app from his account), which you have to exchange for an access token.
That is also the reason, that you always get only "This app would like to: Have offline access". Once you permitted a specific scope, it won't show up anymore in the consent screen.
The docs and drive consent screens are showing the right, because you didn't give the permsission for them.
I see basically two possibilities for you: don't use approval prompt (and thus skip the consent screen after the first authorization, you will be simply redirected as the user clicked allow, but without clicking allow) or exchange the token to a refresh token.
Or try revoking your permission for your account.
I think when it shows Offline Access it means you've already accept these permissions before. This has sometimes happened to me, try revoking the old access and try again to obtain fresh tokens. Go to you Google account page (https://www.google.com/settings/personalinfo) --> Security --> Account Permissions --> View All, then search the Maps access and revoke it, then try again
I get 403 access_denied_insufficient_permissions error when trying to access a file present on box enterprise admin account.
We use the "as-user" header to access files of any user on the enterprise. In our case, bob#acme.com is the admin user and he gave access to my box application the permission to access any files. If I try to access files on bob's account using "As-user" or "On-behalf-of: bob#acme.com" header, I get access denied error. If I do not use this header, I am able to access the documents. I don't think this is a valid work around for this issue as we do not know at run-time if a user is admin or a regular user. Have any of you run into this issue?
Box recently made a change in their Oauth token scopes. Every app now carries an additional setting to allow the app to have scope level of managing the enterprise. You need to enable that on your app and then see what happens. It should work, I think.
We faced the same issues a few days back and due the above suggested change worked for us. Here is the announcement from box.
I have this issue as well. What you can do is to ask the Box API to get the current user and compare that userId to the one you are going to be running as. If they differ, add As-user header, otherwise don't.
It does require one extra API call (getCurrentUser), but it works.
It's a little silly, it seems it would be a very easy thing to fix on the box end.
I was following the steps from box.net document
http://developers.box.com/get-started/#authenticating
I can get a ticket as it said first.
Then I use that ticket at following url https://www.box.com/api/1.0/auth/{your ticket}
in a browser, it works as it says. the browser will direct the user to box login page.
In that login page if I input username/password for login.
I can get the auth_token as the document says.
The problem is while I didn't choose username/password for login but use google openid to login an box account.
I will not able to get that auth_token as the document says. the returning response with following status:
not_logged_in
I want to know if this is a bug or I not correctly using the API to get that auth_token.
As many of box user now are using google openid as primely login choice this seems an common use case need be supported.
If anyone know the answer would be very appreciated.
Thanks
If a non-OpenID user is able to authenticate through the Box API's standard authentication process, then your code is fine. We have had reports of issues for our Single Signon issues, so this is likely a bug on our end.
Just make sure your app can authenticate users who have Box passwords. When we resolve these SSO issues, OpenID users will be able to connect your app without any changes on your end.