Can't login using Google Auth,
Error 403: org_internal
This client is restricted to users within its organization.
Go to cloud console (https://console.cloud.google.com/apis/)
APIs and services
Credentials
Oath consent screen
Ensure Application type is set to "public" and not internal.
Obviously assuming that you are creating an app that should be accessible outside your org. If this is related to testing and phones, it is possible to create testusers that are excepted from company policy rules.
The reason for this error is indeed because the Application type is set to "internal".
But setting it to public is not always the right answer...
Add "&prompt=select_account" to the authentication url. This will force the user to select the correct (organization-)account.
Without the parameter, Google tries to show the consent screen for the logged in Google-account, but as it is not an organization-account it will just display the 403 page without giving the user this choice.
https://developers.google.com/identity/protocols/OpenIDConnect#prompt
I had an Internal app that I was trying to authenticate with one of our YouTube channels using an organization account, and I was getting the same error:
Authorization Error
Error 403: org_internal
This client is restricted to users within its organization.
After contacting Google Workspace Support, they asked me to Change the restriction on it from Limited to Trusted.
Steps are mentioned in this support thread: https://support.google.com/a/answer/7281227
Open the Google Admin Console.
From the sidebar menu, choose: Security → API Controls.
Click on MANAGE THIRD-PARTY APP ACCESS button.
Hover the cursor over the required app and click on Change access.
Choose the option: Trusted: Can access all Google services
And save the CHANGE.
Once you've done, take note that there will be 24 hours of propagation on it before it gradually takes effect.
Make sure, for the browser you are using, that you have logged out of "All" Google account(s). This should force the "select account" windows to display.
We have almost exactly the same problem while trying to configure WP Mail SMTP for Wordpress.
The OAuth Client's Application Type has to be "Internal" so changing it to "External" was not an option for us.
Hope this helps.
I had the same issue and in my case was because the project didn't had a support email address set it.
I fix it by adding one on the Firebase Console > Project Settings > General under the Public settings section.
This error is most likely due to the configuration of your application in Google Cloud Platform.
Setting your application to "internal" is causing this error. Try making your app "external" in the OAuth consent screen, but make sure it is in a "testing" status. Then, add yourself to the test users. This configuration will work well for an internal, lightweight application.
Once complete, try to authenticate with the channel again.
I had the same issue with a project. The error only appeared if I tried to log in to my app while already logged in with an account outside the organization (worked just fine while logged out of all accounts, or while logged in with an internal organization account). I had to change the OAuth Client's Application Type from Internal to Public in the Google Dev Console.
More info can be found at https://support.google.com/cloud/answer/6158849?hl=en
Maybe you have another google email to login, not the correct one.
Related
We have been working on an app that requires access to a users google calendar. We have been using the grantOfflineAccess() method described in google api's documentation - https://developers.google.com/identity/sign-in/web/reference#googleusergrantofflineaccessoptions
However, the problem we are facing is that this opens a pop up and we need to do this via a redirect. Does anyone have any ideas todo this without a pop up showing up?
Safari and Firefox block pop ups and this does not really work well on safari on mobile.
I was able to find a GitHub issue for this https://github.com/google/google-api-javascript-client/issues/288 but I have seen other websites do this without a pop up. You can check zendesk & frontapp.com - both of whom take offline grant for the users signing in.
Any ideas or help would be appreciated.
The only way to access a users data is to have a user grant you permission to access that data. This is done though Oauth2 a user is promoted to login to their google account then they are given a screen with the scopes of permissions that you are requesting.
There is no way around this. YOu will always have to ask a user at lease once to grant you permission to access their data if you are requesting offline access you will be given a refresh token that you can use to request a new access token and access the users data when they are not online.
As for popups they shouldn't be displaying as popups they should be opening in a new browser window.
So I've followed the guide here https://firebase.google.com/docs/auth/android/email-link-auth and am able to make an email get sent out successfully.
If I click that link on my desktop, it tries to take me to a website with the following image
Should I be writing my own server based app to authenticate this? I assumed Firebase would handle that for me. The guide doesn't mention anything about what happens at all.
It does talk about this
// URL you want to redirect back to. The domain (www.example.com) for this
// URL must be whitelisted in the Firebase Console.
.setUrl("https://www.example.com/finishSignUp?cartId=1234")
I changed it to use the domain of my firebase app/project e.g. myapp-123456.firebaseapp.com, assuming that Firebase would have something to handle this.
Am I missing a large section of documentation?
in console firebase, in the menu Authentification -> Templates
There is a sms verification template :
%LOGIN_CODE% is your verification code.
How to change this message template?
firebaser here
Neither the email verification template nor the SMS verification template can be modified. You can select the language from the Firebase console, however this is a per project setting and you can't modify the templates.
We understand that changing the template would allow you to tweak the user-experience of your app, but we don't allow this to prevent abuse of the service.
Update 1 year later, still a no go, but I received this back from support
The Firebase SMS Authentication message content will depend on the
platform you are requesting that message from. Here is a list of the
possible variations you may get:
iOS and Android - The SMS messages draw the app's name from the App Store / Play Store. One an app is published, the correct name
should start appearing. There may be a small delay (a week or two at
most).
Web - It will always use the domain that the SMS is requested from. To modify it, you can setup a custom domain.
iOS (using Recaptcha) - Phone authentication on iOS will show the project's url instead of the app's name in the verification
SMS when using the reCAPTCHA flow. This is expected behavior. The
reCAPTCHA flow was added for cases where an APNS token is not
available (including on real devices). If APNS is not correctly
configured, a real device will default to the reCAPTCHA flow.
Unfortunately, neither the email verification template nor the SMS
verification template can be modified. You can select the language
from the Firebase Console, however this is a per project setting and
you can't modify the templates.
We understand that changing the template would allow you to tweak the
user-experience of your app, but we don't allow this to prevent abuse
of the service. I hope this clears your consults about this topic. If
you happen to have any more questions, please, do not hesitate to
write back!
Meanwhile you cannot change the content of the message, you can change the app's URL mentioned in the SMS.
Go to Authentication > Sign-in Method > Authorized domains and add your own domain website.tld
Now edit the Firebase config object (in your source code) and update the authDomain key to the domain you linked earlier.
Send a new test message, you're good to go.
As per Firebase Support the %APP_NAME% should be shown in your firebase settings wherein the %APP_NAME% is called after Public-facing name in public settings.
EDIT:
I checked first where is the location of "localhost" and wherein i found on "Authentication>Sign-in method" then under 'authorized domain' you will find "localhost" in order to change the localhost you need to add a new domain.
Note:
be careful on deleting localhost to your authorized domain. It will take time to function OTP request.
This one helps;
Go to Authentication > Sign-in Method > Authorized domains and add your own domain website.tld
Now edit the Firebase config object (in your source code) and update the authDomain key to the domain you linked earlier.
in console firebase, in the menu Authentification -> Templates
There is a sms verification template :
%LOGIN_CODE% is your verification code.
How to change this message template?
firebaser here
Neither the email verification template nor the SMS verification template can be modified. You can select the language from the Firebase console, however this is a per project setting and you can't modify the templates.
We understand that changing the template would allow you to tweak the user-experience of your app, but we don't allow this to prevent abuse of the service.
Update 1 year later, still a no go, but I received this back from support
The Firebase SMS Authentication message content will depend on the
platform you are requesting that message from. Here is a list of the
possible variations you may get:
iOS and Android - The SMS messages draw the app's name from the App Store / Play Store. One an app is published, the correct name
should start appearing. There may be a small delay (a week or two at
most).
Web - It will always use the domain that the SMS is requested from. To modify it, you can setup a custom domain.
iOS (using Recaptcha) - Phone authentication on iOS will show the project's url instead of the app's name in the verification
SMS when using the reCAPTCHA flow. This is expected behavior. The
reCAPTCHA flow was added for cases where an APNS token is not
available (including on real devices). If APNS is not correctly
configured, a real device will default to the reCAPTCHA flow.
Unfortunately, neither the email verification template nor the SMS
verification template can be modified. You can select the language
from the Firebase Console, however this is a per project setting and
you can't modify the templates.
We understand that changing the template would allow you to tweak the
user-experience of your app, but we don't allow this to prevent abuse
of the service. I hope this clears your consults about this topic. If
you happen to have any more questions, please, do not hesitate to
write back!
Meanwhile you cannot change the content of the message, you can change the app's URL mentioned in the SMS.
Go to Authentication > Sign-in Method > Authorized domains and add your own domain website.tld
Now edit the Firebase config object (in your source code) and update the authDomain key to the domain you linked earlier.
Send a new test message, you're good to go.
As per Firebase Support the %APP_NAME% should be shown in your firebase settings wherein the %APP_NAME% is called after Public-facing name in public settings.
EDIT:
I checked first where is the location of "localhost" and wherein i found on "Authentication>Sign-in method" then under 'authorized domain' you will find "localhost" in order to change the localhost you need to add a new domain.
Note:
be careful on deleting localhost to your authorized domain. It will take time to function OTP request.
This one helps;
Go to Authentication > Sign-in Method > Authorized domains and add your own domain website.tld
Now edit the Firebase config object (in your source code) and update the authDomain key to the domain you linked earlier.
After months of developing a Web App under Firebase suddenly these days we have a problem with the Authentication, it returns this console.alert only with Facebook and google login (email/pass login works fine):
[firebase-auth] Info: The current domain is not authorized for OAuth
operations. This will prevent signInWithPopup, signInWithRedirect,
linkWithPopup and linkWithRedirect from working. Add your domain
(front.qualify.mx) to the OAuth redirect domains list in the Firebase
console -> Auth section -> Sign in method tab.
The App uses 3 different sub-domains, and in all 3 we can access over email/pass but not Facebook nor google.
We tried updating the Firebase initialization script, nothing. We have checked the API keys (in the Google APIs Credentials) and there was a new "Server key (auto created by Google Service)" which no one told us it was generated (Jan. 18th), so we edited it to include the domains as the original API key in different ways (w/wo * and /*), nothing. We deleted this new Server Key, suddenly something different, now the console includes a 403 error before the alert stated above and returns auth/timeout code inside the object.
We also found the Identity Toolkit API has detected many errors, so we tried to add the URLs for login, logout and email, but nothing happens when trying to save.
What are we missing?
The solution was adding my-app.firebaseapp.com (being my-app the unique identifier of our Firebase App) to the HTTP referrers in the Browser-Key Credentials from the Google APIs console and wait some time to propagate.
After many months of development the app never had a problem, and we are sure we never removed such referrer (if it was ever there).
Anyway... it's done and learned.
The simple way I was able to solve this issue I had with my ionic project was by following the instructions in the log, if you don't see any message try console log the response from firebase.
So what I simply did was follow the url: https://console.developers.google.com/apis/api/identitytoolkit.googleapis.com/overview?project='projectId'
*projectId = the Id of your project
and enable the Identity API something it brought up. Finish, and it worked instantly.