I am currently setting up the Google Auth provider within my firebase application. I have enabled the Google Auth provider, as well as the authorized domains within the authentication tab.
Even after updating my authorized domains, etc. I am still receiving the following error:
iframe.js:299 Info: The current domain is not authorized for OAuth operations. This will prevent signInWithPopup, signInWithRedirect, linkWithPopup and linkWithRedirect from working. Add your domain (ys-provider-map.firebaseapp.com) to the OAuth redirect domains list in the Firebase console -> Auth section -> Sign in method tab.
Is there something I may have missed, etc. Any and all feedback is much appreciated
Similar issue was reported in this github thread.
The reason for this error may be because you didn't have the firebase app domain itself (*.firebaseapp.com) included in the Accept requests from these HTTP referrers (web sites) list in the Google API credentials for the app key (https://console.developers.google.com/apis/credentials/key).
This must be a fairly recent requirement as accepting requests from the actual site domain was enough beforehand.
Hope above information helps.
Related
Cant establish persistent API connection to GA4 from Make (formerly Integromat). I use an HTTP OAuth 2.0 connection
I've enabled the Google Analytics Data API v1
In GCS I've created a project, Enabled the above mentioned API with authorized domains integromat.com and make.com and also created an OAuth 2.0 app. The scopes I added was:
https://www.googleapis.com/auth/analytics.readonly
https://www.googleapis.com/auth/analytics
I created credentials for a web app with the Authorized redirect URI’s of
https://www.integromat.com/oauth/cb/oauth2
https://www.integromat.com/oauth/cb/google/
The connection works but only for a short period (I assume the token expires). To try and mitigate this I created a service account. That does not work as I cant find a way to add an authorised URI to a service account. This is the Make error:
Error 400: redirect_uri_mismatch
You can’t sign in to this app because it doesn’t comply with Google’s OAuth 2.0 policy.
If you’re the app developer, register the redirect URI in the Google Cloud Console.
Request details: redirect_uri=https://www.integromat.com/oauth/cb/oauth2
Any ideas please? I’m truly stuck
Your question lacks a bit of information as to what it is exactly you are trying to do. However there is enough here that I can help you clear up a few issues or miss understandings.
Oauth2
Oauth2 allows your application to prompt a user to request permission to access their data. The authorizaton server returns to you an access token, this access token is good for only an hour and then it will expire.
If you are using a server sided programming language then you can request offline access, at which point the authorizaiotn server will return to you an access token and a refresh token. The refresh token can then be used by you when needed to request a new access token.
service accounts.
Service accounts can be used if you are only accessing private data that you the developer own. You can create a service account, then go in the admin section of the google analytics website and add the service account as a user it will then have access to that account. There will be no need to request consent of a user to access the data it will just work. Note: service accounts only work with server sided programming languages.
redirect uri issue.
The redirect uri must exactly match the web page that your application is sending. In this case the error messages says you are missing https://www.integromat.com/oauth/cb/oauth2 you should add that.
Google OAuth2: How the fix redirect_uri_mismatch error. Part 2 server sided web applications.
I currently have some routes in Google App Engine's app that are protected using the Users API in Google App Engine. I've now been asked to support users that do not have a Google account.
It seems to me Firebase auth is the tool I need, but I can't figure out exactly how to integrate it:
I have made a login page, with the drop in auth solution, that redirects to one of my protected routes.
I expected the request for that page (after the redirection) to contain a token I could check in Google App Engine.
I know the initial auth step worked, because if I check Firebase auth on the client side on that new page, it works:
firebase.auth().onAuthStateChanged(console.log); // prints my email
Is there no way for the http requests to include the token so that I can check them server side?
Thanks!
We have two Azure AD Web Apps Registered under one outlook account for OneDrive Development under the portal apps.dev.microsoft.com . We have created two apps because we need our app to support callback URLs from two servers with different DNS. Unfortunately only the first app that was created works in which we can get the access token using V2.0 end point and then subsequently can access One Drive Resources using graph API.
The second App that we created to supported another server with a different DNS does not work. We are unable to get access token and the response is below,
AADSTS70000: The request was denied because one or more scopes requested are unauthorized or expired. The user must first sign in and grant the client application access to the requested scope
One App: reply URLs: https://www.example.org/OneDriveApp/callback.jsp - works great
Second App: reply URL https://www.example2.net/OneDriveApp/callback.jsp - failure to get OAuth Access Token.
This error generally means the auth code you've gotten is not meant for tokens on the specified endpoint. This can happen from misconfiguring the auth endpoints, registering the app in the wrong spot, or a malformed request.
The first thing to check with this error is your auth endpoints.
Next, make sure you're using the correct library to obtain the authorization code.
Also, make sure that you are not registering the app in the wrong blade (regular AD vs b2c).
What do you have as the URL for the token endpoint?
I'm trying to add authentication to my web app by using Firebase Auth and I would like to avoid using the Firebase JS SDK because it's too big in my opinion, and also as an exercise for getting to know the underlying protocols better.
I've noticed that the Firebase Auth SDK doesn't directly redirect to the OAuth endpoint and then back. Instead, it redirects to https://my-app.firebaseapp.com/__/auth/handler which then redirects into the OAuth endpoint with itself as a callback, and then back into my requested callback URL.
So basically instead of:
myapp.com
↓
accounts.google.com/o/oauth2/v2/auth
↓
myapp.com
This happens:
myapp.com
↓
myapp.firebaseapp.com/__/auth/handler
↓
accounts.google.com/o/oauth2/v2/auth
↓
myapp.firebaseapp.com/__/auth/handler
↓
www.myapp.com
I couldn't find any documentation about this API anywhere, but I think that maybe it's an internal middleware for CSRF prevention, or maybe just an API that does the heavy lifting of closing the gap between different Federated Identity APIs.
The reason I'm interested in this is that it can save me some time and possibly money if it does one of the above, and I'm pretty sure I might learn something new from it(I at least hope so).
So, what is the https://my-app.firebaseapp.com/__/auth/XXX endpoint used for, and is there any docs on using it?
It is mostly for ease of use and convenience. You just use one whitelisted callback URL for all your OAuth providers (set up just one redirect URL for all your OAuth providers). You don't have to worry about hosting it as Firebase Auth does that for you. Now you can host your application in multiple domains for production, localhost for development, etc. As long as these are whitelisted in your project, you can sign in with any OAuth provider of your choosing. You can add and remove whitelisted domains from one place in your project settings. Note some OAuth providers in the past used to allow only one callback URL. This would have bypassed that limitation.
It will also work for popup flows too as well as the typical OAuth redirect flow. For example, many developers choose to use popup flows for desktop and redirect for mobile devices.
Notice also for the redirect flow, it does not pass the OAuth authorization code, etc back to your webpage via URL query string, instead it does that via iframe postMessage. So the redirect back to the original URL will have the exact same URL, unmodified. So you can start with https://www.example.com/#login and then go back to same URL to complete login.
In addition, it does not require server side code as is typically done with express passport, etc. No boilerplate code too.
The myapp.firebaseapp.com/__/auth/handler is the URL that signs your users in with Firebase Authentication.
The accounts.google.com/o/oauth2/v2/auth URL signs you in with Google OAuth, but not with Firebase.
This flow is the same for all OAuth2 providers that Firebase supports. So if you'd sign in with Facebook, you'd see firebase auth handler -> facebook oauth handler -> firebase auth handler.
"Authentication requests to Firebase Simple Login are only permitted from domains you specify." and the two default domains are "localhost" and "127.0.0.1".
Let's say that my server's IP is "267.156.423.22". How do I setup my security rules so that that the two first domains can read specific data, but only the server can write it?
For example, if a client purchases a product, this fact and associated data needs to be noted on the client's account in the Firebase. For obvious security reasons this information must be 'writeable' by the server only.
The authorized domains configuration for Firebase Simple Login applies solely to OAuth-based authentication providers (Facebook, Twitter, and GitHub), and restricts requests to those origins in the browser.
That means if you're using one of those OAuth-based authentication providers, you'd want to enter in any origins which your end users will use to access the page (i.e. if your user accesses the page via subdomain.example.com, that'd the be origin to enter).
Keep in mind that Firebase Simple Login is built on top of that standard, one-size-fits-all custom login / token generation in Firebase. It is an abstraction layer intended to make it easy to generate Firebase Auth. Tokens, a secure way of sharing data between you and Firebase.
Once a token has been generated (via Simple or Custom login), you can begin using that token's payload in your security rules (via the auth variable). If you'd want your server to bypass security rules, simple generate a token with the admin privilege, or your Firebase secret. See https://www.firebase.com/docs/security/security-rules.html for more details.