I have built out the OAuth process to allow customers using our app to integrate with Ebay. The OAuth works like a charm for most customers, but there is one customer in particular (based out of the UK, we are based out of US) who is unable to authenticate. I have had the customer use a variety of browsers, and even use incognito mode. However he is still unable to authenticate. Since I am unable to replicate his error I was hoping someone else had run into a similar issue.
Related
At work we have developed an individual customer specific software application that is in use for a long time. We have a new requirement in this same program to implement an option for sending emails directly from the program.
The user is able to add his own email account with the credentials and login through our program. For Microsoft and Gmail accounts OAUTH is implemented and something here is not very clear.
For Gmail-API we have made an OAUTH Client and Consent screen on Google Cloud Console which we need to publish and verify and here is where the problems start. I am not very clear with the whole process of verifying the app.
In the steps for verifying is stated that we should verify a domain for the app, but this software is not hosted anywhere on internet and is not publicly available, it is available to a number of specific users (2000-3000).
Also Google requires a YouTube video of the software to be available publicly, which we are not able to upload because of customer requirements. Also here is required a Data Protection Policy page for the application which we as a developers don't have because we are only developing the software.
Other thing that is not clear to me, how is this type of software rated by Google, internal or public?
Have anyone experience with this or something similar?
Verifying an app for one of the Gmail scopes is a very complicated process. This process depends upon which scope of authorization you are requesting of the users.
In your case you are trying to send an email so you are using the users.messages.send method from the Gmail api. This uses a restricted scope. Which means you will need to go though the full process.
First of it doesn't matter if your application is hosted or not. It also doesn't matter that you give this app to a limited number of users. What matters is the scopes you are using.
You will need to ensure that your domain has been registered via google search console. So this app will need a domain
Once that is done you will be able to host your website, and the privacy policy on that domain.
You will need to create a YouTube video showing your application running, and how authorization is used.
You will also need to submit to a third party security checkup of your application which is not free and will need to be done once a year.
All of this is needed because of your consent screen it doesn't matter if its hosted any where, It also doesn't matter if this is only available to specific number of users.
If all of the users are part of a single google workspace account, that has created your client id and client secrete then you can set the app to internal and you wont need to be verified. This only works for google workspace domain accounts.
I am a teacher preparing for distance learning. Google Forms are awesome, but they have some limitations. I created an old school google form with google sheets to get around a few issues I was having. I used the script from this data entry form
It works great! ...but I'm worried my students won't use it since they will get a warning that says "This app isn't verified." I know for a fact that my students will not click on the "advanced" button to authorize the app.
Is there a way around this?
Answer:
This screen can't be removed without app verification.
More Information:
As per the unverified apps page:
An unverified app is an app or Apps Script that requests a sensitive or restricted OAuth scope, but hasn't gone through the Google verification process. Users of unverified apps or your test builds might get warnings based on the OAuth scopes you're using. This is to protect users and their data from deceptive apps.
It's designed this way to stop tricky people with tricky apps blindsiding people by getting them to approve sensitive scopes without too much thought.
Unless you want to verify your app, which will need to be done through the GCP console (instructions on verification can be seen here), your only way around this is to just tell your students to click on the "advanced" button to authorise the app.
Side note: Verification is not required for Apps Script projects whose owner and users belong to the same G Suite domain or customer.
Further Reading:
Google Cloud Platform Projects | Apps Script | Google Developers
References:
Unverified apps - Google Cloud Platform Console Help
OAuth Client Verification | Apps Script | Google Developers
I've taken over development of a Google Analytics API dashboard for a content management platform, and upgraded the code to use OAuth2 as the older oauth was disabled recently. The authentication flow and subsequent API calls are all working fine on my localhost for development.
The problem is when trying the code from a different domain. Google wants the redirect_uri to be whitelisted through the developer console, and if it isn't there, it throws Error: redirect_uri_mismatch
As this is a self-hosted (+ open source) package, people will be able of installing on their own servers, there is no way I'll be able of adding all possible redirect_uri values to the app key in the developer console.
After a bunch of Googling and trying to understand the docs, I get the impression there are 2 possible solutions.
Instruct users to go to the Google Developer console, and to create an app key of their own, before also going through the OAuth2 flow within the distributed app to provide the code access to the data in Google Analytics.
Use a redirect_uri value of urn:ietf:wg:oauth:2.0:oob with an Installed App key, instructing people to copy/paste the code back into the self-hosted app after authentication.
Neither of these are really appealing as it adds a bunch of complexity for the user (though option 2 sounds mostly doable). Are there other options, or am I simply overlooking something simple?
You actually don't have any choice in this matter. You must go with nr 1. When you state this is a dashboard and web application it leads me to believe this is some kind of scripting language. This means that the client id and client secret will be displayed to your users / customers. This is against googles terms of service.
Changes to the Google APIs Terms of Service Asking developers to
make reasonable efforts to keep their private keys private and not
embed them in open source projects.
You may not release your client id and client secret to your users they are going to have to create there own. Which nicely solvers your redirect URI problem they have to make there own.
Further reading Can I really not ship open source with Client ID?
We already have a web app that integrate with differente Google services. Right now, you can loguin using a Google account, can import a contact lists from any Google account, and can sync a Google Calendar with our Calendar in the webapp (We implemented all of this using OAuth 2 and invoking the GoogleApi with a REST Client).
We are now trying to publish this app in the GoogleApp Marketplace, but we are failing to comply with the "Use one-click single sign-on" rule (https://developers.google.com/apps-marketplace/practices#5_use_one-click_single_sign-on).
We are believing that the problem is we the way we are solving the fact that we need offline access for all the integrated users in the app. Right now, the only way we found to get the refresh tokens for them, was starting the OAuth2 process with the parameters access_type=offline&approval_prompt=force, but this forces them to enter their credentials.
We aren't using the 'Google+ Domains API', and we are starting to believe that we should. Is the use of this API mandatory for complying with the "Use one-click single sign-on" rule?
Thanks,
Well, we finally figured it out. We had to use the Google Admin SDK in order to implement SSO. We had some troubles with the scopes, but after we polished that, everything seems to be working OK.
OK. This question has been asked a number of times and answered. However, it seems Intuit changed things on their part so:
Their own latest documentation is no longer correct
All the answers I found so far on the Internet no longer work
Therefore, the only option left is to ask the same question again.
I'm building a console application in C# that need to import data (invoices, customers, etc.) to QB online. It is an internal integration application that will be used by only one company. I definitely do not want to go on the SaaS route.
By all accounts it seems that I should the QuickBooks QBXML SDK v12 and should registered the application in QBOE at "www.appreg.intuit.com". However, this address no longer exists and the registration procedure has changed. QBOE currently support three types of applications:
QuickBooks API - SaaS
Customer Account Data API
Payments (QBMS) App
By considering the functionality I need (create invoices etc.) I should probably create a "QuickBooks API" application. However, this is a SaaS application which is unusable to me.
The "Customer Account Data API" is definitely not what I need.
The only option left is the "Payments (QBMS) App" which does not seem to be the right choice either. However, this is the only one of the three application types that can be either hosted or desktop and have "AppID" and "AppLogin" attributes described in various integration articles on the Internet when using the traditional SDK.
Therefore, I created a "Payments (QBMS) App" (Desktop, Production), followed documentation and articles, did all required settings and used the traditional SDK COM objects to connect to QuickBooks.
During the first connection attempt I approved the application in my QBOE account and set the connection token. Gave all permissions to the connection with no user authentication required.
In the end all I got is the following uninformative exception thrown by the QBSessionManager.BeginSession method:
System.Runtime.InteropServices.COMException (0x80040403): Problem communicating with QuickBooks Online Edition
If I turn on log-in security a dialog appears prompting me to log-in and paste a ticket. Upon opening the log-in URL
https://login.quickbooks.com/j/qbn/sdkapp/sessionauth2?serviceid=2004&appid=[AppID]
the following message appears
There is a problem with sharing your financial data between applications.
Error Message: Application [AppLogin] is not designed to work with service 2004
I also tried using qbXML directly which resulted in a "400 Bad request" error.
Is connecting to QBOE via the SDK still supported and what I'm supposed to do to achieve that?
Go here to create a QBOE application - http://developer.intuit.com/Application/Create/QBOE.
You should use traditional QBSDK.
Please refer this link - https://developer.intuit.com/docs/0025_quickbooksapi/0055_devkits/0250_qb
Thanks