I am trying to use OAuth to do a 2 legged authorization to the Gmail IMAP server, as documented
in https://developers.google.com/gmail/oauth_protocol. I am having trouble, getting "invalid credentials" in response to the AUTHENTICATE XOAUTH command.
Obviously there are many potential points of error in my code, but I believe I have the SHA1 generation, URL encoding, Base64 encoding, all done correctly. My specific question right now is regarding how to identify my application as being allowed to use 2LO. This documentation
(https://developers.google.com/accounts/docs/OAuth#GoogleAppsOAuth) says that third party software vendors must register their application with Google to use 2LO, and that domain administrators must grant access to those vendors. However, I have experimented with a commercial application that does this, and I am not required at any point to grant access to it, just supply it with my domain's consumer key and secret. It works fine. (Nevertheless, I have gone into the Google Apps console and checked "enable this consumer key" and "allow access to all APIs").
In the IMAP XOAUTH protocol, where would I tell it what my application is? The only place I see would be the "XOauth_requestor_id" parameter. Is that it? What do I put there? I have tried the email address and various other values that I get from the Google API control panel, but nothing works.
Any help or examples (of all the input data and resulting base64-encoded output) you can provide would be appreciated.
Related
I am developing a web-based application that will allow my trusted staff to edit the titles, descriptions, tags, etc. of my YouTube channel. In attempting to "Opt In" to my own application, I was sent to the callback URI with an error message:
You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure. You can let the app developer know that this app doesn't comply with one or more Google validation rules.
Some history - when I first attempted to obtain a code to exchange to an authorization token, it actually worked! However, as I was writing the code to harvest the code and exchange it for the authorization token, I repeated the "Opt In" process multiple times. Before I was ever able to perfect my code to exchange the code for an authorization token, I began getting the error message to the effect that the app is insecure and cannot be signed in to.
More history - after reading a Stack Overflow article describing something similar, I deleted the project, created a new project, generated a new Client ID and Client Secret, and then repeated the test with the same failure.
I am the only Test User of the app. I can't find any notification in my console alerting me to nature of the security issue triggering the failures. I have reviewed the OAuth policies at
OAuth 2.0 Policies
and cannot find anything even remotely wrong.
What is wrong and how can I fix it?
I also had the same issue.
For me, it turned out that my redirect_uri is not valid. The redirect_uri that gives error:
http://localhost:8000api/vi/oauth/google
What are wrong in my case:
I should put a / before api.
vi is different from what I registered on GCP. It should be v1
I would suggest you to print out the redirect_uri when your app is performing code exchange, and verify every single characters carefully.
Additionally, check out the documentation of Redirect URI validation rules on Google to see if your redirect_uri comply with all the rules.
You probably changed the port where the project is running or you did not define the address where the project is running in Google Cloud.
Google Cloud → APIs and Services → Credentials → OAuth 2 Client ID → change Authorized JavaScript origin to the port that your app runs on the local or shared host.
The URL may take time to define, so it may not work right away, so you can also create a new credential.
For me the redirect_uri was correct, but as a result of an error, the access code was requested for a different client ID.
Before someone marks this question as duplicate,
Yes I know audit log is a thing.
No I won't use it because it requires permission.
Yes it's easier to find out server owner
No I need to know exactly who invited my bot
I want to:
Find out who invited my bot the server (user-guild id pair) using invite link redirection.
I read about the OAuth2 API but didn't quite undertstand it due to my lack of background knowledge.
All I understand is that bot invite links can have redirect uri,
and some infos are transfered to it after authentication.
Is it possible to get user/guild id from this?
I tried:
Setting up http server using python -m http.server,
add my IP to redirect uri list in dev page & generate a invite link containing redirect to my IP.
But I didn't get redirected to my http server after inviting my bot using that link,
and nothing got printed on the http server console either.
Things to note:
A. Don't reveal your client secret or your bot token for any purpose. If you do so, immediately regenerate them from the developer portal.
B. Code and token have different meanings in the answer below.
C. This is not for absolute beginners and you are expected to have a general understanding of web requests(specifically GET and POST requests). You might also need to host the site handling redirect URL.
D. This does not cover security issues in any shape, way or form.
In the bot tab of the developer portal, enable the REQUIRES OAUTH2 CODE GRANT option. This prevents the bot from joining a server unless step 4 is completed.
Then use the OAuth tab to generate an OAuth URL with identity and bot scopes. This is important to get user info in step 5.
When someone visits the URL, logs in, and selects a server, they are redirected to your redirect URL. This URL receives a single-use code as URL parameter ie the URL will be <base_url>&code={code}<other stuff>. It is up to you (and probably outside the scope of any SO answer; google is your friend here) to set up a web server and handle requests.
This code can then be used to get a token. This link explains how to exchange code for token. It involves sending a post request with your application's client id and secret. Both are available from discord's developer portal. The response will also have information about the guild along with the token in fields "guilds" and "access_token" respectively.
Send a get request to https://discord.com/api/v9/users/#me with a header containing Authorization: Bearer ${token} where the token is obtained in step 4. The response is in JSON format and contains user data specified here. Note: The link above is for the latest API version v9 which may change in future versions.
Edit:
It is possible to manually modify the URL to remove identity scope from URL. The bot would still join the server as long as you make a request to exchange the code for the token. In this case, the request to /users/#me would fail and you would have no access to the user object. It should be easy to make the bot leave the server if the request fails with the status code corresponding to unauthorized.
I'm using an Office 365 Family account, and getting an incorrect authorization code back, using the following url:
'https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=[CLIENT ID]&response_type=code&redirect_uri=[REDIRECT URI]&response_mode=query&scope=offline_access%20Calendars.ReadWrite%20Files.ReadWrite.All%20User.Read%20openid%20profile&state=12345';
The code I received on one attempt was: M.R3_BAY.44e411b5-8fcf-f0be-2356-d56fd3293055, and they all have that format whenever I try, which is not what it should be like, and does not decode on jwt.
Can anyone please tell me what's going wrong? I've been searching for months for an answer without any luck.
If this is the authorization code, it is not meant to be decoded.
You are supposed to exchange it for tokens, which are in JWT format.
Documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-access-token
If this is in fact an access token, it could be for a personal Microsoft account. I've seen different format tokens there before.
You currently allow all Office 365 accounts and personal Microsoft accounts since you use common endpoint on v2.0.
If you only mean to support all Office 365 accounts, you can use organizations instead.
I'm trying to learn about OAUTH and OpenID Connect.
Thus I am investigating my own traffic, listening to Authorization Requests and Grants by checking for required parameters in OAUTH as described in https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1 and https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2 for the Authorization Code Flow as well as described in section 4.2.1 and 4.2.2 for the Implicit Flow.
Unfortunately, by using the SSO option for Google on joinhoney.com, I am only able to catch the Request, but not the Authorization Grant.
So, while debugging and having a look at the actual request, I can see the following parameters in the query part of the url:
Parameter
Value
redirect_uri
storagerelay://https/www.joinhoney.com?id=auth[censoredID]
response_type
permission id_token
scope
email profile openid
openid.realm
client_id
705229005811-2fdpup66d8aefq4qs2ru1n8qiosuq4fb.apps.googleusercontent.com
ss_domain
https://www.joinhoney.com
fetch_basic_profile
true
gsiwebsdk
2
Now, to get to the actual question:
Where can I find some specified information about the ss_domain parameter?
I could not find any information in https://www.rfc-editor.org/rfc/rfc6749 as well as on https://openid.net/, however when using google, I can find some people using the ss_domain parameter (only without further explanation), so I doubt it is something only used by joinhoney.com.
Would be happy if somebody could bring some light in here!
Thank you!
If you are at www.example.com, and you your redirect_uri is to a different domain e.g. subdomain.example.com, you need to set ss_domain to https://subdomain.example.com.
This custom ss_domain change, however, is not possible using the Google login client side sdk. You got to push the url manually.
If I just want to enable Oauth with goolge do I need to enable apis for that?
If I do which ones do I need I just want to be able to use passthru authentication with oauth2, I have been looking at questions for hours trying to find a solution to this error. the only thing that doesn't look quite right is that the full client_id is not displayed in the error the url is a little longer.
401. That’s an error.
Error: invalid_client
The OAuth client was not found.
Request Details
response_type=code
redirect_uri=http://localhost:8080/auth/google/callback
scope=profile email
client_id= 404342589460-ig7nuv617skbfaestvsc1jrpqtnipvv2.apps.googleuserconte
Don't need to enable apis. After copy values from Google web UI, remove blank space at the beginning and at the end of both client ID and secret.