I recently received an email from Google saying "Migrate your impacted OAuth Loopback IP Address clients to an alternative method". I have a UWP app that creates a google sso login, The OAuth 2.0 Client IDs type is "ios" (I used this sample from Google: https://github.com/googlesamples/oauth-apps-for-windows/blob/master/OAuthUniversalApp/README.md).
I read the migration guide from Google: https://developers.google.com/identity/protocols/oauth2/resources/loopback-migration.
And they are saying that the redirect_uri parameter has any of the following values:
redirect_uri=http://127.0.0.1: e.g. redirect_uri=http://127.0.0.1:3000
redirect_uri=http://[::1]: e.g. redirect_uri=http://[::1]:3000
redirect_uri=http://localhost: e.g. redirect_uri=http://localhost:3000
My app doesn't use any of those redirect_uri but still, I got those mail to migrate Loopback IP Address.
Also, Google posted this guide:https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html for migrating and they did not mention the UWP app.
Am I missing something? and if I don't why did I get this email in the first place?
Related
I am developing a web-based application that will allow my trusted staff to edit the titles, descriptions, tags, etc. of my YouTube channel. In attempting to "Opt In" to my own application, I was sent to the callback URI with an error message:
You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure. You can let the app developer know that this app doesn't comply with one or more Google validation rules.
Some history - when I first attempted to obtain a code to exchange to an authorization token, it actually worked! However, as I was writing the code to harvest the code and exchange it for the authorization token, I repeated the "Opt In" process multiple times. Before I was ever able to perfect my code to exchange the code for an authorization token, I began getting the error message to the effect that the app is insecure and cannot be signed in to.
More history - after reading a Stack Overflow article describing something similar, I deleted the project, created a new project, generated a new Client ID and Client Secret, and then repeated the test with the same failure.
I am the only Test User of the app. I can't find any notification in my console alerting me to nature of the security issue triggering the failures. I have reviewed the OAuth policies at
OAuth 2.0 Policies
and cannot find anything even remotely wrong.
What is wrong and how can I fix it?
I also had the same issue.
For me, it turned out that my redirect_uri is not valid. The redirect_uri that gives error:
http://localhost:8000api/vi/oauth/google
What are wrong in my case:
I should put a / before api.
vi is different from what I registered on GCP. It should be v1
I would suggest you to print out the redirect_uri when your app is performing code exchange, and verify every single characters carefully.
Additionally, check out the documentation of Redirect URI validation rules on Google to see if your redirect_uri comply with all the rules.
You probably changed the port where the project is running or you did not define the address where the project is running in Google Cloud.
Google Cloud → APIs and Services → Credentials → OAuth 2 Client ID → change Authorized JavaScript origin to the port that your app runs on the local or shared host.
The URL may take time to define, so it may not work right away, so you can also create a new credential.
For me the redirect_uri was correct, but as a result of an error, the access code was requested for a different client ID.
I've followed a sample created here:
https://github.com/googlesamples/oauth-apps-for-windows/blob/master/OAuthDesktopApp/README.md
to have Google OAuth work with my desktop application and it seems I got stuck with redirect URIs. I know I have to provide a RedirectURI on Google Credentials page (in Developers Console), but I cannot figure out how to provide a RedirectURI to accept any port number.
In this sample, a local HTTP server opens a connection on localhost (127.0.0.1) and it seems to work, no matter which port is used for listening (it finds some random port and then sends RedirectURI as localhost:randomport) and authentication works as expected. However, when I try to do that in my application, I get notification that RedirectURI is not defined. Is there any special syntax to be used when defining RedirectURI inside Developer Console?
As stated in the read me for the sample you are following
Create a new OAuth 2.0 client, select Other
You should have created a oauth2 client of type other, not an web application. the only difference really is that other is intended for desktop or native applications which use localhost by default as the redirect uri.
I have looked into the first 15 "similar questions" to my question and none resolved my issue. Sometimes, the error I am getting for the same API request is "This IP, site or mobile application is not authorized to use this API key. Request received from IP address {*ip_address*}, with empty referer". I also searched for that and none of the solutions suggested helped in my case.
My current situation
I am calling https://maps.googleapis.com/maps/api/directions/json?key=MYKEY&some_other_params in an iOS project
I am using an API key that is restricted to a Bundle ID
I have a list of items (let's refer to it as location items) that when clicked I call the Direction API to get route info
I am getting the two errors I mentioned above interchangeably. That means sometimes I get the expired error and sometimes I get the IP error. I get the errors for the same location item.
APIs enabled:
Directions API
Geolocation API
Maps SDK for iOS
Geocoding API
Places API
The Bundle ID is not the problem
I know that my Bundle ID is correct as I am using it with another service, which is Firebase. To eliminate the silly mistake of mistyping, I copied the same Bundle ID from my Firebase API credential. My API key for Firebase is restricted to the same Bundle ID and to the Firebase service. It is working without any issues.
API restrictions only
To eliminate the Bundle ID issue, I also tried None for the Application restrictions and chose to restrict APIs. I added the APIs I listed above one at a time and called the Directions API. Nothing worked, neither having a single API (Directions API) or having all of them.
The weird thing about Places API
A weird behavior I am getting is that I created a new API key and it worked without any restrictions. What is more weird is that I disabled Places API temporarily. I did this as I wanted to "refresh" my APIs. I read in another thread that the IP issue was resolved by disabling and re-enabling the Places API.So I turned it off but did not turn it on immediately. I used a new API key and clicking my location items yields to route info (I got the desired result).
Other restrictions (usage limit and billing)
I know that it is also not about the restriction of too many attempts on the Directions API. The documentation states that the limit is 50 requests per second. Besides, I did the "fast clicking of items" using the unrestricted API key and I always get a route info. Billing is also enabled on our project so that's not the issue either.
Stuck with an unrestricted key
Right now we are using an unrestricted key that is unacceptable. I wonder, why using an unrestricted key works perfectly and restricting it does not. I am sure I am missing a configuration but I have tried every possible combination that I can think of.
API keys restricted to your application's bundle ID won't work for backend web service requests such as Directions API. These API keys would only work for request made from Places SDK and Maps SDK for iOS. This is the reason why you are getting the error "This IP, site or mobile application is not authorized to use this API key. Request received from IP address {ip_address}, with empty referer".
According to Google Maps API key best practices, for API keys used for Web services sent directly from a mobile applications, you can do one or more of the following techniques to secure your API keys:
Use a proxy server. The proxy server provides a solid source for interacting with the appropriate Google Maps Platform API. Then restrict your API key with IP restrictions.
Obfuscate or encrypt the API key or signing secret. This complicates scraping of API keys and other private data directly from the application.
Use CA pinning or certificate pinning to verify the server resources are valid. CA pinning checks that a server's certificate was issued by a trusted certificate authority, and prevents Man-In-The-Middle attacks that could lead to a third party discovering your API key.
i want to use google map api for route between two location. in my IOS application. i try create public key for project and enable uses API in developer console. but i got this error: this ip site or mobile application is not authorized to use this api key IOS. after this error i try create API key for Key restriction for (IP addresses (web servers, cron jobs, etc.)) and set my ip address and then routing is work fine. but when i try this from other device again and again i get this error.
i should use this URL for routing :
let url = "https://maps.googleapis.com/maps/api/directions/json?origin=\(origin)&destination=\(destination)&mode=driving&key=APIKEY"
how can solve this problem for working my code in all devices.
The API key that you use with Google Maps web service (Directions API) supports an IP restriction as mentioned in the following document:
https://developers.google.com/maps/faq#using-google-maps-apis
The issue is that you cannot know the IP addresses of all devices where your application is installed.
You have the following options:
Use unrestricted API key. Note that API key requires HTTPS connection, so the API key won't be intercepted from the request itself, because the request is encrypted. So, in this case you should procure that the API key is not put directly in your source code. If you can read it from config or the environment, it might be feasible.
Create an intermediate server. Your iOS application should send requests to the intermediate server, intermediate server should send requests to Google and pass responses back to your app. In this case you can restrict an API key by IP address of your intermediate server.
I hope this helps!
Any way to test OAuth integration to google without having to have a port forwarding rule in my router back to my development Mac?
Background:
Developing Ruby on Rails web app that will request data from Google Calendar API via OAuth
Using Rails "OAuth Plugin" for this purpose
Developing on MacBook which is running my dev environment
Google needs (as part of OAuth) to make a callback back to my local dev environment
Can't seem to think of a way to test with Google without having to set a Port forwarding rule in my site's router back to my Macbook?
This threw me for a loop too. I actually went through the work of setting it up on a public IP even though I didn't have to in the end.
But yes, your comment is correct. The callback URL is passed on to Google during the redirect then after you've been authenticated with Google, Google will redirect you back to the callback URL providing an authorization code as a parameter.
The only server to server communication that happens is exchanging the authorization code for access and refresh tokens. This typically happens on the callback page. But since it's initiated by your server and not Google, no special open ports are required.