"Error 403: access_denied" when usign Google OAuth - oauth-2.0

I am trying to understand the basic logics for receiving GMail emails with Google OAuth. I see this document Authorizing Your App with Gmail
Now I follow the instructions in Setting Up POP3 Importing with OAuth via Google to setup POP3 with Google OAuth.
I login one Google account(Account1) and then in Google Cloud, create the Google App and OAuth Client ID.
Then I start connect to GMail account(Account2) with the web application(WHMCS). When connecting, it asks me to choose an account that create the app, so I choose Account1. But get the following error:
Error 403: access_denied
The developer hasn’t given you access to this app.
Thus I am a bit confused. Since Account1 is used to create the app and OAuth Client ID, it should be able to access the app when I choose Account1, but the app will not be able to access the data in Account2. Or does the App in the error message means Gmail, not the app I created in Google Cloud?
Should I use Account2 to create the app for receiving emails in Account2? If yes, then for each Gmail account, should I create a separate app accordingly?
Update
Now I try to do as follows:
Use Account3(The admin of Google Workspace) to create the Cloud Project, Consent Window, Client ID, etc.
Then when connecting from WHMCS on our domain datanumen.com, it asks me to choose the account, I choose Account3, and then see a new window as below:
I then select "Allow" button, but then see the following error:
Connection unsuccessful. Please close this window and try again.
Update
I try several times. And find the first time will be successful. I forget enable POP3 in my Gmail account. After enabling it, everything is fine.

I am a bit confused as to what you are trying to do here.
You created a project on Google cloud console and created client id and client secret for the authorization of your project.
All this does is create a project that will be allowed to use Oauth2 to request authorization of a user to access their data.
If I understand what WHMCS is trying to do. Its going to let you use your client id and client secret to request access of a user to access their data.
So when it asks you to authorize a user this is the user whos data you want access to. That user must be added as a test user over on Google cloud console for the project that you created.
The project you create on google cloud console is still in the testing phase. Each user you want to allow to test your application must be added as a test user. Other wise only the owner of the project can test the applicaiton.
To fix this issue for me was this simple:
Go to https://console.developers.google.com/
open the project in question.
Click "OAuth consent screen" on the left.
Under "Test users" there is a button called "+ ADD USERS"
Type the email of the account you will be testing with, press enter, then click save.
It should work now
It seems like they updated this recently because last year I did not have to do this.
workspace
The issue you may be having is that if you created this project on a workspace account then i suspect only workspace domain users are going to be able to authorize it. It cant be authorized by someone on the standard google domain. So try with a workspace domain user. The same may go the other way I have never tried tbh. I tend to keep workspace within its domain.

Related

Got a google AIY Authorization Error while trying to connect to google cloud

I was at the cd ~/AIY-projects-python/src/examples/voice ./assistant_library_demo.py
part, after i got the link and pasted it into the browser i got this error:
Error 403: access_denied The developer hasn’t given you access to this app. It’s currently being tested and it hasn’t been verified by Google. If you think you should have access, contact the developer
Keep in mind that i am logged in the account that i just got the api from. Is not like i am on another one...so..what can i do ?
The simplest solution to this is to add your e-mail address as a tester. Click OAuth Consent Screen in the left menu, then click the Add Users button under "Test Users".

Adding new permissions resulted in: Access is denied. Check credentials and try again

I made an app where the user logs in to their Office 365 account and I perform actions using the Microsoft Graph API. When I first started the app, I requested for little permissions such as profile and mail permissions. However, I now want to access the user's calendar and thus I added more permissions (Calendars.Read, Calendars.ReadWrite).
Now, when I try to get the user's calendar events, I receive the following error:
{code: ErrorAccessDenied, message: Access is denied. Check credentials
and try again., innerError: {request-id:
33074527-630e-41cf-bd00-4fcd5f0ac816, date: 2018-09-10T03:15:07}}
I noticed that once I added these calendar permissions, it didn't prompt the user to accept these new permissions so I think that's why I don't have access. Do I have to delete my app or something in order to get these permissions from the user? I tried to force the user to sign in again adding new permission requests to the scopes variable but it still didn't ask the user for these permissions.
No, you need to update the consent recorded for the user. My guess is you are using the Azure v1 OAUth2 endpoints, as this problem tends to crop up there more often than the v2 endpoints :).
The problem here is that the first time your user consented, Azure recorded their consent so they wouldn't be prompted again. That record captured the permissions you initially had configured on your app registration. Azure v1 is not "smart" enough to detect that you've added new permissions on your app registration since the user's consent was recorded, so it happily continues to issue tokens with the old permissions, skipping the user prompt.
To get the prompt to show up, you need to include a prompt=consent query parameter on the authorization URL, as documented here.
If you're using the v2 OAuth2 endpoints, this becomes a bit easier. With the v2 endpoints, all you have to do is include the new permission scopes in the scope query parameter for your authorization URL. Azure will detect that the user hasn't consented for them, and will prompt.
So how do you tell which endpoint you're using?
Did you register the app at https://portal.azure.com? You're using v1.
Are you using ADAL libraries in your code? That's v1.
Are you using MSAL libraries? That's v2.
Does your code send the user to a URL that has v2.0 in it? You guessed it, that's v2. If there's no v2.0 in it, it's v1.

Can't get permissions for Microsoft Graph API Drive integration

we are using Microsoft Graph API for uploading files for business and personal accounts.
After the account logs in, we ask for some permissions, but we don't add the once needed for OneDrive. After the user explicitly requests to upload a file we send another request for an AccessToken including all scopes until now + files.readwrite.all. This was working perfectly until (maybe) a month ago. Now it works for business accounts, but not for personal accounts.
Steps that we do:
Redirect the user to login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=...&redirect_uri=https%3A%2F%2Fmywebsite.com%2Fsignin-microsoft&response_type=code%20id_token&scope=openid%20offline_access%20profile%20email%20mail.readwrite%20mail.send%20contacts.readwrite%20calendars.readwrite%20people.read%20user.read%20files.readwrite.all&response_mode=form_post&nonce=636656...&state=CfDJ8MLMcPchE...
The user selects their account (whit which they are already signed in)
They get redirected to https://login.live.com/oauth20_authorize.srf with the following sreen:
The permissions are not added for our application and we don't get any error.
Here is also the response from the error page:
Error Info
"/pp1600/oauth20_authorize.srf?client_id=9d3c...&scope=openid+offline_access+profile+email+mail.readwrite+mail.send+contacts.readwrite+calendars.readwrite+people.read+user.read+files.readwrite.all&redirect_uri=https%3a%2f%2fmywebsite.com%2fsignin-microsoft&response_type=code+id_token&state=CfD...&response_mode=form_post&nonce=636...&x-client-Ver=5.2.0&display=host&uaid=521...&msproxy=1&issuer=mso&tenant=common&ui_locales=en-US&username=pesho..."
loginserverprotocolhandler(846)
HR=0x80041018
Method string:GET
URL:"/pp1600/oauth20_authorize.srf"
Query string:"code=5"
Server protocol:HTTP/1.1
Update: after a couple of tries i actually managed to grant access to one of my accounts for the OneDrive integration. Not really sure what changed. I was just logging in and out with different Outlook accounts in Outlook and in our app. After that, i tried the same process with a different account and it failed again. Every time I was trying this I was logged with the same account on both places.
One more thing that I noticed is that before the consent was for all permissions and now the consent screen showed request only for the files permission.

How do I restrict user sign ups to only certain domains in Firebase?

I have an iOS app that I'd like to restrict access to, making it only available to users from a specific email domain.
The app requires the users to log in using their Google Account.
I've found various answers online that suggested adding
".read": "auth.token.email.endsWith('gmail.com')"
But that doesn't seem to return an error in the sign in page, but only when the user in question tries to access the database. Any suggestions?
You will have to enforce that. You have multiple tools to do so:
After signInWithCredential resolves, you can check the domain and that it is a google.com provider. If you are allowing email/password users, you need to verify those too. If the user doesn't meet your criteria, use the delete API on the user and issue an error to the user that they need to sign in with a certain account.
Enforce the check in your rules, as you can't always trust the client. Ensure that if a user signs up, and isn't deleted, he/she can't access the data.
Use Firebase functions which has a trigger for user creation. On user creation, check your criteria is met, if not, use the firebase-admin module to delete that user.
If you are using the Google sign-in library for iOS to get the Google credential, you can check the Google user email and Google ID token before you signInWithCredential in Firebase and block the sign in attempt.
Write your own clean up script: If you are hosting your own server and do not want to use Firebase Functions, you can run a daily script that downloads all your users using the Firebase CLI SDK and then deletes all users using firebase-admin SDK that do no match your criteria.
Since the required email domain is #gmail.com, you could just disable the email and password and enable the Google sign in method in your Firebase console. So, the only way a user can sign in on your app is with a Google account.
https://firebase.google.com/docs/auth/ios/google-signin
Include the email and password sign up option and just check for domains within your app. This will be a simple string comparison test on the email address.
Or just spin up a server to which you'll be sending the emails to for verification. This way you wouldn't have to push out new updates every time you add an extra domain. You can try and see if cloud functions would be helpful instead of spinning up a new server.

How to delete Google App Engine OAuth 2.0 client ID?

I want to implement social media log-in feature to my site where I have to allow users to use their existing Google or Facebook credentials to log-in to my site.
I read some articles and found learned that for Google log-in, I need to use Google+ API. So I added some Javascript and HTML code in my HTML page and tried to log in but I am getting following error.
401. That’s an error.
Error: invalid_client
Application: mytestapplication
You can email the developer of this application at: shekhar#gmail.com
no registered origin
I tried to create new OAuth ID but already there are too many IDs and I am not able to delete any one of them. I have tried all the client-id present for this application but none of the client-id is working.
Can anyone please tell how do I implement sign-in with google feature? How to delete and create new client-id?
The last line is important:
no registered origin
On the API Credentials page, click Edit Settings under the Client ID for web application section. Put your URL there (http://example.com).

Resources