I'm using the Google Identity Platform's OAuth 2.0 flow to authorize a javascript/HTML teacher observation form to write to a Google Sheets document. Everything is working well most of the time; however, last night one of our principals hit the following error:
"Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project."
I determined that he had launched the observation tool in the afternoon, and now maybe five hours later was trying to click the submit button. My hunch was that the token had expired, but from Google's documentation it seems like the JS auth library is meant to handle refreshing the access token as necessary - I believe it's not actually possible to get a refresh token to do anything manually.
I'm using what is essentially the sample auth code, and the app responds to being signed out appropriately. That is, if I sign out in another tab, the submit button is disabled and the sign-in button appears again. Assuming token expiration is the issue here, any ideas on the correct way to identify if the token has expired and how to request a new one, ideally without user interaction? Or if it's not an expiration issue, what else could it be? This user has successfully submitted data in earlier observations; it was just this one time when he waited ~5 hours (potentially losing internet connectivity / sleeping his laptop) during that time.
Here's the auth code:
var clientId = ""; //id removed
var discoveryDocs = ["https://sheets.googleapis.com/$discovery/rest?version=v4"];
var scopes = "https://www.googleapis.com/auth/spreadsheets";
var authorizeButton = document.getElementById('authorize-button');
function handleClientLoad() {
gapi.load('client:auth2', initClient);
}
function initClient() {
gapi.client.init({
discoveryDocs: discoveryDocs,
clientId: clientId,
scope: scopes
}).then(function () {
gapi.auth2.getAuthInstance().isSignedIn.listen(updateSigninStatus);
updateSigninStatus(gapi.auth2.getAuthInstance().isSignedIn.get());
authorizeButton.onclick = handleAuthClick;
});
}
function updateSigninStatus(isSignedIn) {
if (isSignedIn) {
authorizeButton.style.display = 'none';
document.getElementById('submit').disabled = false;
findRow(); //find the empty row once we're logged in
} else {
authorizeButton.style.display = 'block';
document.getElementById('submit').disabled = true;
}
}
function handleAuthClick(event) {
gapi.auth2.getAuthInstance().signIn();
}
Thank you!
Similar issues that i had resulted in issues from that Authorized Javascript origins.
"In the Authorized JavaScript origins field, enter the origin for your app. You can enter multiple origins to allow for your app to run on different protocols, domains, or subdomains. You cannot use wildcards. In the example below, the second URL could be a production URL." taken from https://developers.google.com/identity/sign-in/web/devconsole-project.If prompt to view task came from an email, the email origin must be verified -or- the device is used for multiple accounts, the token will not stay. If the api is being improperly used, it will allow functionality for a short period of time , then fail.
This may be useful, in the authflow, you do not have scope or id in options
/** * Initiate auth flow in response to user clicking authorize button. * *
#param {Event} event Button click event. */ function
handleAuthClick(event) {
gapi.auth.authorize( {client_id: '[#app:client_id]', scope:
["googleapis.com/auth/calendar"], immediate: false}, handleAuthResult);
return false; }
I believe How to refresh expired google sign-in logins? had the answer I needed. Since all of my API calls happen at once, I added a new Date() when the page loads, a second new Date() when the submission flow begins, and if they are more than 45min (2,700,700ms) apart, I use gapi.auth2.getAuthInstance().currentUser.get().reloadAuthResponse() to force an access token refresh, as documented at https://developers.google.com/identity/sign-in/web/reference#googleuserreloadauthresponse.
Hopefully Google will eventually update their documentation to reflect this now-necessary step when using the auth2 flow vs the older auth flow.
Time will tell if this actually solved the issue, but I'm hopeful!
I hope it helps you friend that error is because you have the wrong time, you go to date and time settings then press synchronize now.
Related
I am building a react native application with a rails backend but I decided to go for Firebase for authentication only since it's quite a bit cheaper than Auth0 or Okta.
The setup went fine but I am having trouble figuring out where to call my own backend to create/update a user in the sign in process.
This is my current sign in function that is triggered when pressing the 'Sign in with Facebook' button:
async function handleAuthentication() {
const result = await LoginManager.logInWithPermissions(['public_profile', 'email']);
if (result.isCancelled) {
return;
}
const data = await AccessToken.getCurrentAccessToken();
if (!data) {
return Alert.alert('Error', 'Something went wrong while authenticating with Facebook.');
}
const facebookCredential = auth.FacebookAuthProvider.credential(data.accessToken);
// This token doesnt seem to work
await upsertUser(facebookCredential.token);
await auth().signInWithCredential(facebookCredential);
}
What I get back from the auth.FacebookAuthProvider.credential(data.accessToken) is an object with a token but that doesn't seem to be useful.
When I call auth().signInWithCredential(facebookCredential); I do get back the user data that I need to create a user BUT that already triggers the authentication system and sets the user as signed while he/she isn't created in the backend yet.
So ideally, I would like to create the user before calling signInWithCredential.
Although I'm not sure how to do this or with what token?
I use a Rails backend where I can also decode the token if necessary.
Any help would be greatly appreciated!
What are the differences between using ChallengeHandler.submitChallengeAnswer(credentials) and WLAuthorizationManager.login(SECURITY_CHECK_NAME, credentials)?
You may also want to login a user without any challenge being received. For example, showing a login screen as the first screen of the application, or showing a login screen after a logout, or a login failure. We call those scenarios preemptive logins.
You cannot call the submitChallengeAnswer API if there is no challenge to answer. For those scenarios, the Mobile Foundation SDK includes the login API:
WLAuthorizationManager.login(securityCheckName,credentials).then(
function () {
WL.Logger.debug("login onSuccess");
},
function (response) {
WL.Logger.debug("login onFailure: " + JSON.stringify(response));
});
If the credentials are wrong, the security check sends back a challenge.
It is the developer’s responsibility to know when to use login, as opposed to submitChallengeAnswer, based on the application’s needs. One way to achieve this is to define a Boolean flag, for example isChallenged, and set it to true when handleChallenge is reached, or set it to false in any other cases (failure, success, initialization, etc).
When the user clicks the Login button, you can dynamically choose which API to use:
if (isChallenged){
userLoginChallengeHandler.submitChallengeAnswer(credentials);
} else {
WLAuthorizationManager.login(securityCheckName,credentials).then(
//...
);
}
MobileFirst implements OAuth 2 authorization framework, https://www.ibm.com/support/knowledgecenter/en/SSHS8R_8.0.0/com.ibm.worklight.dev.doc/dev/c_oauth_security_model.html. There are two stages in the implementation, Obtaining an access token, and
Accessing a protected resources by using an access token.
ChallengeHandler APIs are used to implement the first stage, Obtaining
an access token. WLAuthorizationManager APIs are used to implement the
second stage, Accessing a protected resources. More details can be found
at https://www.ibm.com/support/knowledgecenter/SSHS8R_8.0.0/com.ibm.worklight.dev.doc/dev/c_oauth_client_apis.html?view=embed#c_oauth_client_apis
I have two related questions and I hope someone help me because I've been stuck for 2 days
First: mobile phone failed to authenticate
Here is what I have done:
1- user signs up
2- token released
3- token saved in user's device
but then when the same user try to do API requests I get
Rooute to sign up :
$api = app('Dingo\Api\Routing\Router');
$api->version('v1', function ($api) {
$api->post('auth/signup', 'App\Api\V1\Controllers\AuthController#signup');
then I get a token , so I guess everything looks great!
then now when the same device sends a post request to laravel I get this message
"message": "Failed to authenticate because of bad credentials or an invalid authorization header."
this is the route to the post request
$api->group(['middleware'=>'api.auth'],
function ($api) {
$api->post('auth/ios', 'App\Api\V1\Controllers\AuthController#create');
Second: is my method right to save data made by a mobile phone?
Since I couldn't test this method I'd like to know if this is at least one of the right ways to receive data and save it. The reason to save it is because I will show it in a control panel.
public function create(Request $request)
{
$user = new User();
$id = Auth::id();
$user->phone = $request->input('phone');
$user->city = $request->input('city');
$user->street = $request->input('street');
$user->save();
return 'Employee record successfully created with id ' . $user->id;
}
I understand that you are authenticate users based on api token.
Here is what you could do :
set up a column called api_token in users table by adding the following migration
$table->string('api_token', 60)->unique();.This generates a random api token for every user.
send the api_token back to the user's device and save it there
Send it back with every request. Preferalbly set it up globally and send it in the request Authentication request header
Get the authenticated user like so$user= Auth::guard('api')->user();
Laravel takes care of all the authentication stuff behind the scenes.
Learn More about this here
Whenever a user has previously authenticated with Google, it automatically defaults to logging them in with THAT account on subsequent attempts. I want to eliminate this and force the popup/redirect so that a user with multiple google accounts can choose which one to use. How?
Background:
The automatic logging in feature is proving problematic for me as I have a whitelisted set of e-mails for users allowed to use my app. If a Google user chooses the wrong account when first logging in, they can't go back and choose the one associated to their whitelisted e-mail.
Just as #nvnagr said, you can do this with the following code:
var provider = new firebase.auth.GoogleAuthProvider();
provider.setCustomParameters({
'prompt': 'select_account'
});
But I think you need to update the firebase version to 3.6.0 something.
Google supports a parameter in authentication url to deal with this issue.
If you add prompt=select_account in your request to Google authentication, it'll force the user to do an account selection. See the details and other values of prompt.
https://developers.google.com/identity/protocols/OpenIDConnect#authenticationuriparameters
I'm not sure if there is an easy way to add this parameter through firebase api.
When you're calling the oAuth function, you can pass a third options parameter to make the authentication last for the session only. This should solve your problem. Docs
var ref = new Firebase("https://<YOUR-FIREBASE-APP>.firebaseio.com");
ref.authWithOAuthPopup("google", function(error, authData) {
if (error) {
console.log("Login Failed!", error);
} else {
console.log("Authenticated successfully with payload:", authData);
}
}, {
remember: 'sessionOnly'
});
To start I am using the Google OAuth 2.0 code from this site https://github.com/google/google-api-php-client
I need to find out where in this oauth directory the token expires and logs you out. I am having issues with the refresh token and usually the token expires in 1 hour and throws me an error, but I cant keep waiting for 1 hour each time I make a change to see if the code works or not. I have changed some time settings in the code to like 10 or 60 seconds but they don't do anything. Please let me know which file and where I can change the time the token expires and logs out the logged in user.
Thanks,
I have added the following code because the problem is in here, something with this get function is not renewing/using the refresh token. How can I write this code better.
$service = new Google_Service_Oauth2 ($client);
if ($client->getAccessToken()) {
//For logged in user, get details from google using access token
$user = $service->userinfo->get();
$user_id = filter_var($user['id'],FILTER_SANITIZE_SPECIAL_CHARS);
$user_name = filter_var($user['name'], FILTER_SANITIZE_SPECIAL_CHARS);
$first_name = filter_var($user['given_name'], FILTER_SANITIZE_SPECIAL_CHARS);
$last_name = filter_var($user['family_name'], FILTER_SANITIZE_SPECIAL_CHARS);
$email = filter_var($user['email'], FILTER_SANITIZE_EMAIL);
// $profile_url = filter_var($user['link'], FILTER_VALIDATE_URL);
$profile_image_url = filter_var($user['picture'], FILTER_VALIDATE_URL);
$gender = filter_var($user['gender'], FILTER_SANITIZE_SPECIAL_CHARS);
// $personMarkup = "$email<div><img src='$profile_image_url?sz=50'</div>";
$_SESSION['upload_token'] = $client->getAccessToken();
}
There is no way to change Google's access token expiry time. However, the Google_Client::isAccessTokenExpired() method will return true if the token has expired or expires in 30 seconds from now. Your code should not need to deal with renewing a token only after it fails but can check if the access token is expired before it is going to call any method with that particular access token.
There's still an edge case that remains: you can simulate that by manually revoking the access token (out-of-band of your app) using:
curl https://accounts.google.com/o/oauth2/revoke?token=<access_token>
and then run/test your code that still holds on to the now revoked access token. The error code on access is the same for revoked or expired ("invalid_token"), and the handling is the same anyhow.