We are looking for guidance with an error we are seeing in our logs relating to single sign on with Office 365 and our cloud hosted app which allows users to sign in using their Office 365 credentials.
Failed login attempts
Error messages in logs and we get emails O365OAuthCallback
These always result in a paired of errors in our logs: Error code AADST70002 and AADST70011, Invalid credentials and invalid and the extended message says OAuth doesn’t match reply address.
Our logs show users are able to log in and no customer has ever raised this with our support team. In spite of many attempts we have never been able to replicate the issue ourselves.
Is this a warning, a rate limit exceeded or a quota exceeded? What’s the best way to troubleshoot this? All guidance appreciated.
Related
We are using Twilio Programmable Chat on our project for 1 year. On the mobile side we use twilio-chat v.6.0.0 SDK. On the backend side we use java library - com.twilio.sdk:twilio:7.51.0
Problem
But a couple of days ago we started experiencing problems with authorization on the mobile side. Everything is ok when we create new chats and work with them.
But when we try to fetch messages for the old chats (created before that problems), we receive the following error access forbidden for identity (status: 403, code: 54007)
What we tried
We tried to upgrade/downgrade both mobile SDK and backend libraries.
I've read the code: 54007 documentation. We have never configured any Sync services, possible they were introduced and not properly configured for the old chats?
We have only one Sync service that was created (automatically) recently and ACL enabled flag is set to false.
Here is the structure of our access token:
My guess is that something has recently been changed with the permissions in the Chat API and the default config is not working for us.
I don't know exactly what it could be. Please, help.
In our case we got the same error when trying to fetch messages for a channel where the user is not a member of Error: Access forbidden for identity (status: 403, code: 54007). This happened with Twilio SDK twilio-chat 6.0.0 and 4.1.0.
After we reviewed the "Roles and Permissions" section in the Twilio Console we noticed that the "service user" (which is the default user role for the chat user) did not have the permission "editChannelAttributes" activated, as compared to another sub account where fetching messages for unjoined channels was still possible.
Activating the permission "editChannelAttributes" for the service user and fetching messages seems to work again.
I'm not sure what the connection between this permission and fetching messages could be, but maybe this information is still helpful.
This is the official answer from Twillio Support that helped us:
Recently the engineering team has effectively deployed some modifications over Programmable Chat; before this change, users would be able to see channel messages that they were not part of. With this update, users will receive error code 54007 for Chat if they try to read any channel that they are not a member of.
I have got an error when following this Microsoft tutorial. This is the error I'm getting pic of error
I only get this error when I try to login with my organizational AD account, however when I log in with my personal Microsoft account all work as expected.
I'm new to both Microsoft Graph and Larvel I'm not 100% sure what is causing the issue, but I believe that it might have something to do with permissions for the owned app in AD. If so what permissions do I need to allow as the tutorial I believe doesn't cover this.
I would also like to only allow logins from my organizational AD and not a personal Microsoft account but when I set the app to a single-tenant nothing works.
here is my Github repository
here is a picture of my owned app permissions
here is a picture of the error you get pic of error
hopefully, I have included everything that might need to help
got this working by ensuring that I had user read permissions and mail read setting enabled on the owned permissions list and my org is still an on-prem mail system which is unable to get the calendar from this can only be done with online mail and hybrid mail servers
We got the request from google to submit YouTube API Audit form and we have submitted with all information but it seems our Console project with YouTube Data API still not activated properly because of status display "Active" but the daily quota is blank.
When I am going to update daily quota with any number but it seems set with blank on page refresh and we are not able to make any single request successful.
We are working with this console project and YouTube API for the last 5 years without any issue but in the last few months we are getting so many issues like first, we have verified OAuth screen with requested scopes and it has taken 20-25 days in the verification process and published. Now, facing another issue about limit quota and audit form.
Right now we are getting below error as attached in screenshot while going to authenticate my google account with the permission of Manage YouTube data API.
There is no contact support provided and I have submitted form 3 times but no back reply from support so waiting since 1 month to get work as normal.
Let me know if anyone has idea!
Error:
Error calling GET https://www.googleapis.com/youtube/v3/channels?part=contentDetails&mine=true:
(403) Access Not Configured. YouTube Data API has not been used in project xxxxxxx before or it is disabled. Enable it by visiting
https://console.developers.google.com/apis/api/youtube.googleapis.com/overview?project=xxxxxxx then retry.
If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
Access Not Configured. Quota limit issue
This means that you do not have any quota to use the API. You need to apply for an additional quota within the Google developer console. It took me about three months to get a quota on my project.
This is not the same as going through the verification process all though it is similar. Unfortunately, you must have missed an email you were probably notified a while ago that Google was locking down the quotas and you should apply before losing the quota on your existing project.
There is no support other than going though the form and simply waiting until google choices to grant you some quota or they tell you they wont. This is the price of developing with a free api google gets chose how they want to allow us to access things.
We are facing the below screen when trying to authenticate to Google. The app that we are trying to authenticate is used for internal development and we did not publish it to our users.
Any idea why this occurs?
We faced an Unverified App screen before (as below) but now the authentication is disabled.
OAuth Client Verification
Starting July 18, 2017, Google OAuth clients that request certain sensitive OAuth scopes will be subject to review by Google.
OAuth Client Verification
Starting July 18, 2017, Google OAuth clients that request certain sensitive OAuth scopes will be subject to review by Google.
Review is not required if you are only using it under the same account as created the project in Google Developer console. You can read more about this change in this help center article.
This change applies to Google OAuth web clients, including those used by all Apps Script projects. By verifying your app with Google, you can remove the unverified app screen from your authorization flow and give your users confidence that your app is non-malicious.
Once you have applied for verification it takes around a week and it should start working.
I found this thread some time ago when this happened to us in our development project on Google Cloud Platform.
You can use a project for development without verification. No problem on that. But there are some limitations (more information here and here). Basically, we reached the limit of 100 users accessing the application. It was strange because we were testing with few accounts (5-6) until we found that, if you uninstall and install the application again, it counts as a new user. We were testing incremental authorization, so we uninstalled/installed the application a lot of times and we reached the quota.
When you reach this limit, you will see the message "Sign in with Google temporarily disabled for this app" and only users from the organization where the project is hosted can access the application. So we couldn't make test with our accounts from a demo domain or our Gmail accounts.
The only solution available was to pass the OAuth verification form (even if you didn't want to publish the application), but there were problems to do it. For example, it was mandatory to remove http://localhost from valid OAuth URLs. And more problems related with development.
❗ But this has changed recently. I have accessed to OAuth credentials screen in Google Cloud Platform (APIs & Services > Credentials > OAuth consent screen) during this week and now the page it's different. Now you don't need to specify "Authorised JavaScript origins" and "Authorised redirect URIs", you just need to specify your scopes for Google APIs and the Authorised domains. Then, at the bottom of the page you will find the button "Submit Verification" and the process will start. You will also find some information on the right:
About the consent screen
The consent screen tells your users who is requesting access to their data and what kind of data you're asking to
access.
OAuth Developer Verification
To protect you and your users, your
consent screen may need to be verified by Google. Without
verification, your users will see an additional page indicating that
your app is not verified by Google.
Verification is required if
Your application type is public, and You
add a sensitive scope Verification may take several days to complete.
You will receive email updates as it's processed.
Saving without publishing
Even though your consent screen is
unpublished, you can still test your application with users with the
following limitations:
Sensitive scopes are limited to 100 grant requests before verification
is required
Users see an additional page indicating that your app is
not verified by Google.
To include "Authorised Javascript Origins" and Authorised redirect URIs" you need to go to APIs & Services > Credentials and there click on your OAuth 2.0 client ID. There will be a form where you can add them.
In our case it took 1 day to get a response from Google. In the email there were some instructions to pass the verification. We had to reply the email with a video uploaded on YouTube addressing the following points:
How does user sign-up on your app and grants access to the sensitive scopes requested in verification?
OAuth consent screen as seen by end users
How does your application use the requested scopes to provide services to developers?
A test account email and the password for us to test the user sign-up process and validate the project's functionality.
We recorded a video showing points 1, 2 and 3 and sent them a test account for number 4.
After 1 day, we got another response from Google confirming that our project had been verified.
So finally the problem was solved! 🙂
I hope this could help people in the same situation. It was really annoying for us.
I had to go into my Google Apps Script settings and turn on the "Google Apps Script API" setting. Then I tried again, and the script executed correctly without issue.
I had used the script a couple of weeks ago and it worked fine, so something must have happened between then and now that changed it... Not sure what caused that setting to switch.
We are upgrading from the 201109 API to the 201209 one. The 201109 one could run a report and get data back for any client under an Adwords Account (MMC included).
Now, I get an error of "CUSTOMER_SERVING_TYPE_REPORT_MISMATCH" with version 201209. https://developers.google.com/adwords/api/docs/troubleshooting?hl=en#ReportDefinitionError.CUSTOMER_SERVING_TYPE_REPORT_MISMATCH
Can anyone shed light as to why you can no longer generate a report (and how to fix) using ReportDefinitionService for clients under an MMC account?
Even I got the same error when the client-customer-id was set to the MCC Id, but when I changed it to the client Id of a particular Adwords account, this error did not occur.
I think you cannot generate a report across all client accounts in an MCC(if you are trying to do this). You will have to generate separate reports for each client account.
Hope this helps :D
You could download a list of account IDs from the account hierarchy report then run your reports over each account ID. Unfortunately querying the MCC no longer works