I have received a mail from noreply-apps-developer#google.com with the subject “[Action Required] Submit your app(s) for Restricted Scopes OAuth verification”. In the email body, there is a link to the Google API Console. After I am in the Google API Console, under the tab named “Credentials” 2 fields are highlighted.
Following is the screenshot of the same.
Link to screenshot
I would like to know the reason for the error “Invalid domain”. Also, would be great if you can help me resolve the issue.
Please note: In the sections highlighted in red color, the site URL is present. I have removed it from the screenshot for security concerns.
Edit1:
As suggested, I have added the links for privacy policy, domain, etc. When I click on the "Submit for verification" button, a modal appears. I am unable to identify what information I need to add here. The details are as follows:
link for the screenshot of the modal which appears when I click on the submit button.
The application interacts with gmail in 2 instances:
1. Sending emails.
2. Reading emails received (emails having a particular subject line) and accessing the attachments present in it.
There is not other use of the gmail connectivity.
I am confused whether I should mark the application as "Internal" or should I submit it for verification. If I have to submit it for verification, then what details should I insert in the modal that appears on click of the "submit for verification" button (screenshot has been shared).
Request you to help me resolve the issue.
All URLs in your project must match one of your Authorized Domains. But your screenshot shows this field to be blank. You will need to tell Google which domains your app is allowed to run on.
For example, let's assume your homepage is at https://www.example.com/ and your privacy policy is at https://www.example.com/privacy. You'll need to include example.com in the first field under Authorized Domains.
In this screenshot below, I've added a matching Authorized Domain and the errors are resolved.
Check the "Learn more". It was stated in bold text that:
Add your Authorized Domains before you add your redirect or origin URIs, your homepage URL, your terms of service URL, or your privacy
policy URL.
Looking into your screenshot, something is missing and it is your Authorized domains.
Related
I am creating a web application in Golang/HTML. I am implementing registration, sessions, email verification, and login.
My code works, however I have noticed some strange browser behavior. When the user registers for the first time, my application will send them an email containing a link with a unique nonce (number used once) in the url. This is to ensure that the user is able to receive email from us at that address and "verify their email", as is standard practice on many web applications.
Please click the following link to verify your account: http://localhost:8080/verify-email/55c17d2c
I noticed that when I receive this email, if I click on the link in the email, the browser will open the link in a new tab as expected, however, it will not send any cookies on requests associated with that tab.
But when I copy and paste the link into a new tab manually and press enter, it sends the cookies just fine. What gives? is this some sort of undocumented security feature? What should I do about this?
I used https://github.com/six-ddc/httpflow to capture a log of the HTTP requests and responses going between my web browser and my server application. I have two separate logs, one of them captured a registration flow where i clicked the link, and the other one captured a registration flow where i copy and pasted the link into a new tab.
Log where link in email was clicked: https://paste.cyberia.club/~forest/2f3fce7dcc71fc095341eeaefb33f20883c79886
Log where link was copy and pasted from email into url bar: https://paste.cyberia.club/~forest/0623f76cfee339e91d2213dd8f4c7710c6fa2797
Please note that I tried this on firefox and google chrome, I also tried it with a real domain and https certificate, got the same behavior in all browsers and setups.
Here are my constraints:
I want the application to work fine with javascript disabled, however, I'm open to javascript-based solutions if they are simple, secure, and make the site more enjoyable to use. For example, I am using a javascript that hashes passwords client side before sending to the server for login. But if javascript is disabled, the raw password will be sent.
I don't want the user to have to log in again after they click the link to verify their email address.
I don't want the link in the email address to represent a "free pass" into the user's account. I want to require the user to be already logged in (or somehow otherwise authenticated) before they can verify their email address. For example, if someone steals that email and clicks that link before the intended user does, I don't want the email thief to be able to take over the account.
OOPS I just figured this out, I wanted Lax SameSite policy on my cookies:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_attribute
It takes three possible values: Strict, Lax, and None. With Strict, the cookie is sent only to the same site as the one that originated it; Lax is similar, except that cookies are sent when the user navigates to the cookie's origin site, for example, by following a link from an external site;
When I log in with an account which does not belong to the expected domain, this message is shown (which is correct).
I think this message is kind of ugly and not understandable for a non-developer person. Is there a way to modify this message in the Google Cloud Console or inside the OAuth code? I would like to display for example:
The email you used does not belong to the happy.com domain.
I fount this Feature Request In the Public Issue Tracker, and there they suggest to follow the steps of Customize the rejected-app message. Basically it mentions:
Your current account, user#domain.com, doesn't have permission to do these steps. To continue, switch to an administrator account. This will open the Google Admin console.
Switch to administrator account now or Learn more
From the Admin console Home page, go to "" and then Security and then API controls.
Under App access control, go to the Settings section.
Type your custom text in the box under the following message: Show this message if a user tries to use an app that can’t access restricted Google services.
Click SAVE.
If this doesn't make it, I would recommend you to comment on that FR in which they mentioned:
I have filed this feature request internally.
You might also want to ‘star’ the FR to ensure that you receive updates about it. You can also adjust notification settings by clicking the gear icon in the top right corner and selecting settings.
We have an add-on for Google Sheets and would like to switch other Google accounts for some functions.
Half a year ago, I successfully added a URL (https://***.googleusercontent.com) to Authorized JavaScript origins and a URL (https://oauth-redirect.googleusercontent.com/r/\*\*\*) to Authorized redirect URIs.
But now we can't and, therefore, it keeps showing
Authorization Error (Error:400: redirect_uri_mismatch).
When I try to add this URL(https://***.googleusercontent.com), it shows
"Save failed! The request failed because one of the field of the resource is invalid."
I don't know whether the rules changed and what should I do. See the screenshot for details. Thanks!
Error Message: The JavaScript origin in the request, https://***.googleusercontent.com, does not match the ones authorized for the OAuth client.
This appears to be a bug.
The issue you reported on Issue Tracker has been forwarded internally:
Fail to Add *.googleusercontent.com into Authorized JavaScript origins
Thank you for bringing this to our attention. It has been forwarded internally.
Posting this here to give it more visibility. Please click the top-left star if you're affected by this.
I have the same problem, since October I am not allowed to use *.googleusercontent.com as Authorized origin.
I reported it on Issue Tracker, but their answer simply was "Thank you for your report, unfortunately Issuetracker is not the proper forum to address your report".
I solved this problem (At least temporarily) by inserting the Google sign-in button on an external site (Github pages) and once logged, redirect the user to my *.googleusercontent.com page with the sign-in token inserted in the URL as a parameter.
I am integrating Box.com with my application. My flow is when the employee login for the very first time, he will be presented with Box Page in an frame (Please note I am not using Box Embed Widgt as such).
After entering the valid username and password in box page, then user wil be taken to another page, where he can select "access to box" or "Deny Access".
Now my issue is when I click on Deny Access nothing happens, I get a blank screen. When debug it reaches my application back and but nothing happens.
Could you please guide me.
Thanks
If the user clicks deny, then Box will call your redirect URI (on your server) with
You will receive a GET request at
https://www.yourServer.com/someendpoint?error=access_denied&error_description=The+user+denied+access+to+your+application
You will need to handle that response, and know that the user decided they did not want to use your application.
You do get a notification of the denial via the page registered with Box.
When you register your application with Box you provide a page (your page) that will be called when the oAuth completes.
This is explained in this tutorial: http://developers.box.com/oauth/
Look particularly at this section:
Authorization Code: The authorization code is only valid for 30 seconds.
However, if the user clicked Deny, you will receive a request with an error and error_description parameter, such as:
GET https://www.sean.com/rose?error=access_denied&error_description=The+user+denied+access+to+your+application
I was following the steps from box.net document
http://developers.box.com/get-started/#authenticating
I can get a ticket as it said first.
Then I use that ticket at following url https://www.box.com/api/1.0/auth/{your ticket}
in a browser, it works as it says. the browser will direct the user to box login page.
In that login page if I input username/password for login.
I can get the auth_token as the document says.
The problem is while I didn't choose username/password for login but use google openid to login an box account.
I will not able to get that auth_token as the document says. the returning response with following status:
not_logged_in
I want to know if this is a bug or I not correctly using the API to get that auth_token.
As many of box user now are using google openid as primely login choice this seems an common use case need be supported.
If anyone know the answer would be very appreciated.
Thanks
If a non-OpenID user is able to authenticate through the Box API's standard authentication process, then your code is fine. We have had reports of issues for our Single Signon issues, so this is likely a bug on our end.
Just make sure your app can authenticate users who have Box passwords. When we resolve these SSO issues, OpenID users will be able to connect your app without any changes on your end.