ss_domain parameter in context of OAUTH or OpenID? - oauth-2.0

I'm trying to learn about OAUTH and OpenID Connect.
Thus I am investigating my own traffic, listening to Authorization Requests and Grants by checking for required parameters in OAUTH as described in https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1 and https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2 for the Authorization Code Flow as well as described in section 4.2.1 and 4.2.2 for the Implicit Flow.
Unfortunately, by using the SSO option for Google on joinhoney.com, I am only able to catch the Request, but not the Authorization Grant.
So, while debugging and having a look at the actual request, I can see the following parameters in the query part of the url:
Parameter
Value
redirect_uri
storagerelay://https/www.joinhoney.com?id=auth[censoredID]
response_type
permission id_token
scope
email profile openid
openid.realm
client_id
705229005811-2fdpup66d8aefq4qs2ru1n8qiosuq4fb.apps.googleusercontent.com
ss_domain
https://www.joinhoney.com
fetch_basic_profile
true
gsiwebsdk
2
Now, to get to the actual question:
Where can I find some specified information about the ss_domain parameter?
I could not find any information in https://www.rfc-editor.org/rfc/rfc6749 as well as on https://openid.net/, however when using google, I can find some people using the ss_domain parameter (only without further explanation), so I doubt it is something only used by joinhoney.com.
Would be happy if somebody could bring some light in here!
Thank you!

If you are at www.example.com, and you your redirect_uri is to a different domain e.g. subdomain.example.com, you need to set ss_domain to https://subdomain.example.com.
This custom ss_domain change, however, is not possible using the Google login client side sdk. You got to push the url manually.

Related

Missing authorization code error in Google OAuth2

I'm stuck with an issue while trying to use Google's OAuth2 php lib. On the server side, after I instantiate an OAuth2 object I redirect the user to Google's sign in page, after which they hopefully grant permissions based on the scopes (the APIs I declared for use in the OAuth2) I declared. Now here's my issue: after the user grants permission I get redirected to the redirectUri I specified during the instantiation of OAuth2. This redirectUri contains as params state, code, and scope k-v pairs. I always get a "Missing authorization code" if I don't send back the value code to server and set it as a property of the OAuth2 object. However, if I send back the value of code to the server and set it as a property of the OAuth2 object I get a
"Client error: POST https://www.googleapis.com/oauth2/v4/token
resulted in a 400 bad request response. Error: "invalid_grant"`
So, I'm at lost here. I should mention that I actually managed to make 2 authorized calls to Google Ad Manager (the scope I declared) using the same flow I described above, but after that I keep getting the same 2 errors as above.
Does anybody know what's going on? I must be missing something but I can't see what. I'm using this guide so it's not really convoluted or complicated code but I just can't get it to work somehow. https://github.com/googleads/googleads-php-lib/wiki/API-access-on-behalf-of-your-clients-(web-flow)

Account linking Google Assistant

I actually looking for an answer for my problem of account linking on Google Assistant.
Sorry, the screens are in french but I can translate all if it's necessary to understand.
I followed the google account linking documentation until "implement your Oauth server"
https://developers.google.com/assistant/identity/oauth2?oauth=implicit
First:
On google Action, this is my configuration of account linking:
Next I'm trying to auth me on my application :
I have to sign in on Google Home APP.
I said, "talk to my test app:"
And google redirect me on my API with the authorization page.
I provide my password and my email.
The auth works on my API, but unfortunately an error is display on google assistant after the redirection ...
The error message in English is : "Sorry, an error occured. I didn't succeed to sign-up. You can try again later."
I don't understand why I got this Error ...
The URL GET authorize is :
http://f8f73376.ngrok.io/api/auth/authorize?redirect_uri=https%3A%2F%2Foauth-redirect.googleusercontent.com%2Fr%2Farlex-ccevqe&client_id=*clientid*&response_type=code&state=AB8b_TOd3At3ADLyuTi9k02War1fEmzT8vBeXxgHidVA5zTHVmVmE536Sjw60EAK_rUfb4Ie84Ly2l6E5AfW-F_Eo3hipueQzGbnEfpGlUHdhIeTQyfJYCk2I5-yT_n6vceOYeVlYfXF-frpVoiSCH9K2ns-7rbbgq3wEX2Px0DX3QH5ijgSsT7lvr0vOHECCCzTav9ldYf4G-EcruSModayIhIYBMKjKUQJqddBjJZ5JyCEE0cOJNvOeI13T35WoJ8_0HYoX2BXRYKGUJLiEOHX_cNlLWmcL1Y5wzDze6wa-qTM7Hvg7cutqO_u9pnhNWeMDkMgQljpSfUzyP7Ry1iWziE64nMtDmhxA48Qbufm-bRjpTRTCOBQN-_gLmx1aT2bBGTouSyg6cNY8E33HCzsp7H8qRfKYTdZ_Ga0IJcOam9MjNp2XFfgrw0uV7TTLig2LmYyJG_d-6urRGBY-xcwRxWkp7vCUtWvY6CXEZsF42rTjXYk-kr8xraS-2tNvgavhLASGvVVVgIg0AVSNZLdw9qvQMM-4NRFwsrAkZWz08kO493_lvA&user_locale=fr-FR
And the URL I sent for the redirection is:
https://oauth-redirect.googleusercontent.com/r/arlex-ccevqe#access_token=65cc814038a84114b8922b47eebc45cb&token_type=bearer&state=AB8b_TOd3At3ADLyuTi9k02War1fEmzT8vBeXxgHidVA5zTHVmVmE536Sjw60EAK_rUfb4Ie84Ly2l6E5AfW-F_Eo3hipueQzGbnEfpGlUHdhIeTQyfJYCk2I5-yT_n6vceOYeVlYfXF-frpVoiSCH9K2ns-7rbbgq3wEX2Px0DX3QH5ijgSsT7lvr0vOHECCCzTav9ldYf4G-EcruSModayIhIYBMKjKUQJqddBjJZ5JyCEE0cOJNvOeI13T35WoJ8_0HYoX2BXRYKGUJLiEOHX_cNlLWmcL1Y5wzDze6wa-qTM7Hvg7cutqO_u9pnhNWeMDkMgQljpSfUzyP7Ry1iWziE64nMtDmhxA48Qbufm-bRjpTRTCOBQN-_gLmx1aT2bBGTouSyg6cNY8E33HCzsp7H8qRfKYTdZ_Ga0IJcOam9MjNp2XFfgrw0uV7TTLig2LmYyJG_d-6urRGBY-xcwRxWkp7vCUtWvY6CXEZsF42rTjXYk-kr8xraS-2tNvgavhLASGvVVVgIg0AVSNZLdw9qvQMM-4NRFwsrAkZWz08kO493_lvA
There are two possible OAuth2 flows that you can use: Implicit (or "token") and Authorization Code (or "code"). While they are similar, there are some significant differences between the two in values of some of the parameters, how those parameters are sent back, and what else you need to support for each flow.
Although the URL you provided indicated you were following the "Implicit" flow, your screen shot shows you set Actions on Google to expect the Authorization Code flow. Additionally, Google is sending you a URL with response_type=code, and you are responding using a redirect that includes a hash and an access_token parameter, which are expected with the Implicit flow.
It looks like you have most things already setup to use the Implicit Flow, so the easiest solution would be to change this configuration in the Actions on Google Console. If you need the features that the Authorization Code Flow provide (most notably, limited lifetime for tokens), then you should adjust your server accordingly.

Google's OpenID Connect says: OAuth 2 parameters can only have a single value: client_id

As part of the OpenID Connect (OAuth2 for Login), my application is supposed to request an access token, given a one-time authorization code, via the endpoint https://www.googleapis.com/oauth2/v3/token. According to documentation, this request needs 5 parameters passed to it, client_id among them. That is exactly what my application does, using the Perl module Net::OAuth2.
Everything has been working fine for several months, but today I was notified that it stopped working. No updates were made to the application code nor the libraries used by it.
The message my application now receives from the server when calling the token endpoint is this, in a 400 error response:
OAuth 2 parameters can only have a single value: client_id
A Google search suggests nobody has ever seen this message before, or lived to tell the tale. There doesn't seem to be a general issue with Google's OpenID Connect (other services based on it are working flawlessly), and the imminent shutdown of the old login protocol doesn't seem relevant.
More testing: removing all parameters except client_id causes this error message:
Required parameter is missing: grant_type
Supplying only client_id and grant_type produces the original error message again.
Does anyone have an idea what's going on here?
Google changed this behavior few days ago, so any OAuth2 library using Basic Auth headers AND body request parameters will start to see messages like
OAuth 2 parameters can only have a single value: client_id
or
OAuth 2 parameters can only have a single value: client_secret
So, you must now do NOT use both (the Auth headers and body request parameters) at the same time to send credentials to Google.
And according RFC 6749, the preferable way to send credentials is through Auth headers (thanks #JanKrüger for alert me about this).
Got the same error. It seems the problem is that NET::OAuth2 sets the authorization header when exchanging authorization code for access token. If you remove this header everything works fine.
Check the get_access_token method in Net::OAuth2::Profile::WebServer module. The authorization header includes client_id:client_secret base64-encoded string. Apparently Google now treats this duplication as an error.
The right way of fixing this is to set the secrets_in_params parameter when creating Net::OAuth2::Profile::WebServer object. Look in the Net::OAuth2::Profile documentation for more details.

Instagram API: do scopes work with OAuth2 implicit authentication flow?

I'm making requests against the Instagram API from a mobile app. Currently, I'm just directing the user to the Instagram auth url and specifying the response type to be "access_token". Specifying this response_type is known as implicit auth.
Explicit auth: response_type=code
Implicit auth: response_type=access_token
I'm trying to get around needing to stand up a web service to facilitate explicit auth. This would be necessary because in explicit auth flow, the Instagram API needs to make a call to a redirect URL and pass in a "code" parameter. The code would then be used by my server-side code to make a final request to Instagram for an access token.
It's much more efficient for a mobile app to use implicit flow because no extra privately-maintained auth service needs to be stood up to handle it.
Instagram supports the following scopes:
basic - to read any and all data related to a user (e.g.
following/followed-by lists, photos, etc.) (granted by default)
comments - to create or delete comments on a user’s behalf
relationships - to follow and unfollow users on a user’s behalf
likes - to like and unlike items on a user’s behalf
When I make any other type of scope specification besides "basic", I get the following response when the user provides the credentials at the auth URL:
{"code": 400, "error_type": "OAuthException", "error_message": "Invalid scope field(s): basic+likes"}
Any combination of scopes other than "basic" gives the same response.
So, my question are these:
Is explicit auth required in order to specify scopes beyond "basic"??
Do I need to specify response_type=code in order for extended scopes to work?
Is this an Instagram limitation, or is it a limitation of OAuth 2.0?
Thanks in advance.
I just tried with implicit oauth flow with my client_id and scope=basic+likes and it worked. Replace the url below with your client_id and redirect_uri, and try.
https://instagram.com/oauth/authorize/?client_id=CLIENT_ID&redirect_uri=REDIRECT-URI&response_type=token&scope=basic+likes
May be Instagram is not allowing scope other than basic with new client accounts...
The answer here is that YES, scopes can be requested by implicit auth flow just fine. My problem was related to an OAuth component that I was using. The component was silently URL-encoding the value of the scope param, which was rejected by the Instagram auth endpoint. I updated the component (Xamarin.Auth) to accomodate a non-encoded scope param and issued a pull request.
Thanks to #krisak for providing a working URL that I could test.
So I had similar issues regarding the encoding of the + when trying to get permission for multiple scopes (basic, likes, comments). The solution I found was to use spaces between the individual scopes:
In the config/initializers/omniauth.rb file:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :instagram, 'TOKEN', 'SECRETKEY' , {:scope => "basic likes comments"}
end
Unfortunately starting from April 14th 2015 new clients cannot get access for any scope but basic. Official message could be found at the client configuration page:
Starting April 14th 2015, new clients need to request access to be able to post likes, follows, and comments. For more information please read the Developer Blog at http://developers.instagram.com.
The message refers following blog entry: http://developers.instagram.com/post/116410697261/publishing-guidelines-and-signed-requests
Instagram requires personal request to be sent to enable scopes for your application (client ID), but your app has to meet certain conditions described in the blog entry.
i have the same problem i found this solution and works fine
Go to Manage clients under instagram/developer. Then click edit under your app and uncheck Disable Implicit OAuth. It will now work as intended.
Instragram changed this for a reason though, so should probably think twice before going public with your app: http://instagram.com/developer/restrict-api-requests/
At this time, May 2015, YES.
As explained on instagram documentation about authentication:
The Instagram API uses the OAuth 2.0 protocol for simple, but
effective authentication and authorization. OAuth 2.0 is much easier
to use than previous schemes and developers can start using the
Instagram API almost immediately. The one thing to keep in mind is
that all requests to the API must be made over SSL (https:// not
http://).
You first need to register your app here and then, with CLIENT ID provided by instagram, you can do this request:
https://api.instagram.com/oauth/authorize/?client_id=CLIENT-ID&redirect_uri=REDIRECT-URI&response_type=code
Where you have to put your client_id and redirect_uri.
Just for information, in redirect_uri field you can insert also
http://localhost
you must be add "+" between scopes like that is "basic+comments+follower_list+likes+public_content+relationships"

Google OAuth2 Authorizing OAuth token error: redirect_uri_mismatch

I am Creating and Authorizing an OAuth Token according to this webpage: https://code.google.com/p/google-mail-oauth2-tools/wiki/OAuth2DotPyRunThrough
But I got this error: redirect_uri_mismatch.
The redirect URI in the request: urn:ietf:wg:oauth:2.0:oob did not match a registered redirect URI
from_login=1
cookie_policy_enforce=false
scope=https://mail.google.com/
response_type=code
access_type=online
redirect_uri=urn:ietf:wg:oauth:2.0:oob
as=-80019291b2cb8ed
display=page
pli=1
client_id=......
authuser=0
hl=en
I thought this might be helpful: Google OAuth 2 authorization - Error: redirect_uri_mismatch
But when I try to register the redirect url to my console, I was told that the url is invalid.
The redirect_uri (urn:ietf:wg:oauth:2.0:oob) is only applicable to those Google client ids that have been generated for installed applications. You can go to your console and create a new client id of this type.
Just in case if you're using Google+ javascript button (with web application), you have to put postmessage instead of actual URI. It takes me almost whole day to figure out this, because Google docs doesn't clearly stand it for some reason.
For my web application i corrected my mistake by writing
instead of : http://localhost:11472/authorize/
type : http://localhost/authorize/
When you register your app at https://code.google.com/apis/console and
make a Client ID, you get a chance to specify one or more redirect
URIs. The value of the redirect_uri parameter on your auth URI has to
match one of them exactly.
Please note that the 'redirect_uri' value of the Token request need to be the same as the 'redirect_uri' value of the Authorization request.
Lost 4 or 5 hours with this... use 'postmessage' as parameter value, not the real Redirect Uri...
$client->setRedirectUri('postmessage');
For anybody that is still stumped with this problem, you must have the 'Platform' set to 'Native (Windows Mobile, Blackberry, desktop, devices, and more)' when registering your app in the Google Cloud Console, otherwise, it will not let you use 'urn:ietf:wg:oauth:2.0:oob' as the redirect URI.
In my case, instead of creating web app, i just chose Other in:
OAuth Client ID > Other
and thats it.
2015July15 - working signin started causing Error 400 with Error: redirect_uri_mismatch
i posted a solution on a similar SO QUESTION: changed loading script to
<script src="https://apis.google.com/js/client:platform.js?onload=startApp></script>
For my native app, I tried dozens of different things. I finally got it to work by using "redirect_uri=http%3A%2F%2Flocalhost%3A1234" where 1234 is the port number. This has to be identical in the two requests (authorization code and the access token). Notice the use of percent encoding.
I was getting this error, because I was incorrectly following the steps for installed application flow here
https://github.com/googleads/googleads-python-lib/wiki
instead of the server to server flow.
The easiest way is to create the service account.
Create the document using your own account and share it with the service account.
redirect_uri must be an EXACT MATCH on the developers console.
In my case, this was due to a trailing slash( / ).
In the Google Cloud console, I had http://localhost:8080 under the redirect URIs in the list while my code was sending http://localhost:8080/ while making the oAuth call.

Resources