I am using Ruby on Rails to access my Gmail account and read emails. I recently changed the password of my account. Since then, I am unable to access the emails using the credentials I was using previously. That is, after changing the password, the client id, client secret and refresh token are invalid.
Tried creating new client id and client secret. But in order to generate the refresh token, I need the authorization code. For this I am performing the following steps:
Run command: gmail_cli authorize
Insert newly created client id and client secret
Access the url returned in the terminal.
On accessing the URL, it throws an error:
Authorization Error
Error 400: redirect_uri_mismatch
The redirect URI in the request, urn:ietf:wg:oauth:2.0:oob, can only be used by a Client ID for native application. It is not allowed for the WEB client type. You can create a Client ID for native application at https://console.developers.google.com/apis/credentials/oauthclient
I understand that the issue is with the redirect URI. But where should I add it? And what should the URI be?
Any help would be grateful.
After changing the passwords of your account, all refresh tokens will be revoked for that user when one of the gmail scopes was used to create it.
You should simply need to authorize your application again. Remember though with the remove of OOB that you can no longer use the redirect uri of urn:ietf:wg:oauth:2.0:oob you should instead use localhost.
redirect_uri=http://127.0.0.1:port or http://[::1]:port">http://[::1]:port or
Making Google OAuth interactions safer by using more secure OAuth flows
Out-Of-Band (OOB) flow Migration Guide
I was able to resolve the issue. Hence sharing the details for anyone who stumbles on a similar issue.
As mentioned by #DalmTo, the client id and secret do not change. I had created new credentials and was trying to get the authorization key for it which was leading to an error.
So the solution is that using the same credentials we just need to create new access key and refresh token.
Related
I am not clear on what exactly I should do with the id token from Google after the initial verification.
I'm developing on expo/react native and get the id token locally. Then, I send it to my server and verify it using google client libraries. Once it's verified what should I do with it?
Ideally I could use it to protect my api routes (express) but id tokens expire after 1 hour and I'm not sure how to refresh them with the client library. So, I don't know how I would do this.
Is that the intended use for id tokens? Should I instead be signing my own jwt and sending that back to the client? Then, the client could send that in the auth header of each request to a protected routes.
Google says:
After you have verified the token, check if the user is already in your user database. If so, establish an authenticated session for the user. If the user isn't yet in your user database, create a new user record from the information in the ID token payload, and establish a session for the user. You can prompt the user for any additional profile information you require when you detect a newly created user in your app.
https://developers.google.com/identity/sign-in/ios/backend-auth
Do I use the id token to "establish a session for the user"?
Yes, the ID-token is only used to create the local session, perhaps also create a local entry in your local database if that is used.
The ID token also have a very short lifetime, like 5 minutes in some systems. So it has no long-term use.
The ID token is intended to authenticate the user. It gives you information about the authenticated user, it should not be used to allow access to your endpoints. Access tokens or sessions are intended to do so. So in your case, you should do exactly as your gut feeling tells you - create a session for the user basing on the data you got in the ID token.
If you have your own Authorization Server you can use the ID token to issue an access token and return the token to the frontend app, then use the access token to access your backends. Have a look at OAuth flows if you would want to go this way.
In our project we want to have one "master" client the user has to get an access token for once. Any further clients that require an access token will do so through the "master" client.
Currently the user has to log in each time a client wants an access token. If our "master" client has a valid token and I try to get to the authorize endpoint with it, I either got forwarded to the login page or get an "InsufficientAuthenticationException: User must be authenticated with Spring Security before authorization can be completed."
At this point I wonder if it's even intended to access the authorize endpoint in this way or if we're just doing something wrong.
I had the same issue. Basically what I have done is extended AbstractTokenGranter with new grant_type in which I got authentification from token store and created new TokenRequest with second clientIds. Also you need to create new AbstractUserDetailsAuthenticationProvider with your checks and extend UsernamePasswordAuthenticationToken to hook it in chain.
All whats left is to add granter and provider in setup and use your brand new grant_type in request to oauth master server. Good luck!
A quick overview of the problem.
I have a client application that will use IDS to authorise access to a google service on behalf of the end user.
However, the client application isn't, itself responsible for talking to google. There is a Server app that does some magic with the user's data on his behalf.
Now, if I understand things correctly, the server app will use the Access Token supplied by the client app to talk to google. What happens when that access token expires? As I understand it the client application is expected to use the refresh token to as for a new access token.
Is there an issue with the server using this refresh token to update the access token? What flow am I supposed to use to make this magic happen?
A server using a refresh token to get a new access token is a valid use case.
If you're working with OAuth you can use the Client Credentials or Resource Owner flows to use refresh tokens, otherwise for OpenID Connect you'll need to use Authorization Code or Hybrid.
I am trying to impliment Oauth for my webapplication for google.I am worked upon a POC and it working fine but i have a confusion and not sure how best it can be achieved.
I am using scribe java API for Oauth.
here are the steps i am performing.
Getting request token from Google.
Redirecting user to Google to authenticate them self and authorize my serivice to access his/her few details.
get Access Toekn from google by providing request token and verification code given by google.
Accessing user info once google provide Access token.
now my main confusion is at step no 3, since i am working on a web-application so it will be a 2 step process.
Redirecting user to google
Handling back google redirect.
In order to get an Access token i need to provide same request token which i got at step1 else my request being rejected by the user.
The request token contains 2 things
Toekn -->which is based on the registered application so not an issue
Secret-->This is always being a random string so it should be same when asking for access token
that means i need to store this secret either in my session or some where so that i can access this secret when user is being redirected back to my application.
My confusion is,since in order to save it in session i have to create a unique key and some way to access it in the other action class which will handle Google Redirect back how can i achieve this since at a given time so many user can ask to login using google.
any help in this regard will be much appriciated.
Thanks in advance
When you receive the request token + token secret, use the request token as the unique key of your session to store the token information. After the authorization process, in the callback url, you have access to the request token (it's one of the parameters passed to the callback url). Using this parameter as the session key, you can restore the token information from session, including the token secret, and use it to sign your request for changing the request token for access token. After receiving the access token, a new token secret is returned to you and you can delete the old one from session.
how can i achieve this since at a given time so many user can ask to
login using google
This is not of any problem because for every single user on your site, you are given a different request token.
I modified google consumer to use in my application scenario.
My scenario is to authenticate user on our client's website and then log them into our system. I am able to do the following:
1) Get Request Token
2) Redirect them to the client's site. User enters username and password and they come back to our URL.
After this step I cannot get the access token.
var accessTokenResponse = google.ProcessUserAuthorization(); is always null.
Our client told me that when they return back to us they don't include the verifier and signed request token. I am not sure if that is the reason why I can't get this working.
Can someone please help? I am new to this.
Thanks
If you're doing authentication then your use of OAuth is probably inappropriate. You should be using OpenID of you're authenticating via Google.
As long as you're using OAuth, yes, the verifier string is mandatory.