I am working on a react-native based project where google made it frustratingly hard to implement their oAuth without using an SDK.
First of all, WebView is not allowed to oAuth. So I attempted to implement it through normal browser / chrome tab where redirect is my app id like com.myCompany.myApp but when I add this as allowed oAuth redirect url I get error in google cloud console that this is not a valid redirect id for web based project.
I then tried to set it up with firebase dynamic links, But when I save changes it errors with Request contains an invalid argument.
Different type of OAuth keys have different redirect requirements and best practices. It's too numerous to name them all, so please see this documentation.
In general, if it's an installed app or a mobile app, the redirect URI isn't as important because you are just redirecting back to the app. However for web based app OAuth keys, you will need to be very careful with the redirect because it carries your access token. You can read more about redirect URIs and see what would qualify as a proper URI.
Basically Google makes sure your URI seems ok for your OAuth key type, otherwise it will reject it.
You cant use it because your app id is not an valid URI
This is the path in your application that users are redirected to after they have authenticated with Google. The path will be appended with the authorization code for access. Must have a protocol. Cannot contain URL fragments or relative paths. Cannot be a public IP address.
You cant redirect to an app id there is no way of knowing where the redirect should go. The following are valid redirect URIs
http://test.example.com/index.php
http://localhost:38898/signin-google
Related
I am creating a free wordpress plugin that interacts with the Spotify API.
Users can download it, install it in their websites, activate it and they can then get specific information about a track.
Everything works in the v1 version. However i have trouble with the redirect uri.
I have to specify a specific redirect uri with Spotify, however the redirect differs on every instal, since its a different domain.
Should I redirect everything to a domain that i own, and redirect from there?
Is there a way to have a dynamic redirect uri?
Is there another method i dont know?
Please help!
I managed to fix this using a fixed redirect uri and the state parameter.
Every Oauth authorization is sent to the same redirect uri, which is a domain that I control.
I added the domain which the Oauth originated from to the state parameter.
From that point i am able to redirect the user back to the orignal domain. This whole proces goes so fast that it feels like a dynamic redirect URI, but in reality it is not.
I have an app in xamarin forms, and I need to implement Google authentication. In my Google API, I have OAuth credentials using Web Application.
The problem is in the Authorized redirect URIs: when I configure the URI using the https, I can choose what account to log in to. After choosing the one I want, I get this error:
Seeing some Youtube videos, I´ve seen that I need to use HTTP instead of HTTPS, but when I try to use this way, I get this error BEFORE I get the Google user´s accounts lists:
So I´m sticking in it and can´t authenticate the user.
I´m using Xamarin Forms, and on the app, there´s no exception thrown.
The redirect URI (where the response is returned to) has to be registered in the APIs console, and the error is indicating that you haven't done that, or haven't done it correctly.
Go to the console for your project and look under API Access. You should see your client ID & client secret there, along with a list of redirect URIs. If the URI you want isn't listed, click edit settings and add the URI to the list.
Note that updating the google api console and that change being present can take some time. Generally only a few minutes but sometimes it seems longer.
I'm trying to add authentication to my web app by using Firebase Auth and I would like to avoid using the Firebase JS SDK because it's too big in my opinion, and also as an exercise for getting to know the underlying protocols better.
I've noticed that the Firebase Auth SDK doesn't directly redirect to the OAuth endpoint and then back. Instead, it redirects to https://my-app.firebaseapp.com/__/auth/handler which then redirects into the OAuth endpoint with itself as a callback, and then back into my requested callback URL.
So basically instead of:
myapp.com
↓
accounts.google.com/o/oauth2/v2/auth
↓
myapp.com
This happens:
myapp.com
↓
myapp.firebaseapp.com/__/auth/handler
↓
accounts.google.com/o/oauth2/v2/auth
↓
myapp.firebaseapp.com/__/auth/handler
↓
www.myapp.com
I couldn't find any documentation about this API anywhere, but I think that maybe it's an internal middleware for CSRF prevention, or maybe just an API that does the heavy lifting of closing the gap between different Federated Identity APIs.
The reason I'm interested in this is that it can save me some time and possibly money if it does one of the above, and I'm pretty sure I might learn something new from it(I at least hope so).
So, what is the https://my-app.firebaseapp.com/__/auth/XXX endpoint used for, and is there any docs on using it?
It is mostly for ease of use and convenience. You just use one whitelisted callback URL for all your OAuth providers (set up just one redirect URL for all your OAuth providers). You don't have to worry about hosting it as Firebase Auth does that for you. Now you can host your application in multiple domains for production, localhost for development, etc. As long as these are whitelisted in your project, you can sign in with any OAuth provider of your choosing. You can add and remove whitelisted domains from one place in your project settings. Note some OAuth providers in the past used to allow only one callback URL. This would have bypassed that limitation.
It will also work for popup flows too as well as the typical OAuth redirect flow. For example, many developers choose to use popup flows for desktop and redirect for mobile devices.
Notice also for the redirect flow, it does not pass the OAuth authorization code, etc back to your webpage via URL query string, instead it does that via iframe postMessage. So the redirect back to the original URL will have the exact same URL, unmodified. So you can start with https://www.example.com/#login and then go back to same URL to complete login.
In addition, it does not require server side code as is typically done with express passport, etc. No boilerplate code too.
The myapp.firebaseapp.com/__/auth/handler is the URL that signs your users in with Firebase Authentication.
The accounts.google.com/o/oauth2/v2/auth URL signs you in with Google OAuth, but not with Firebase.
This flow is the same for all OAuth2 providers that Firebase supports. So if you'd sign in with Facebook, you'd see firebase auth handler -> facebook oauth handler -> firebase auth handler.
I am developing an ASP.net web app which uses Facebook authentication and up until August or September the Facebook login feature was working correctly.
I took a break from developing the app for a month or so, and recently resumed development. I tried it again recently to login to the app with Facebook, and I get this error message:
"URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings. Make sure Client and Web OAuth Login are on and add all your app domains as Valid OAuth Redirect URIs."
I haven't changed any code from my app since September or August, so something must have changed in the way Facebook processes its logins.
I have made changes to the Facebook app settings to try and fix this but nothing works.
My current settings look like this:
Client OAuth Login: Yes
Web OAuth Login: Yes
All the other settings under the Facebook Login product are set to No.
My current redirect URIs look like this:
https://myapp.azurewebsites.net/api/ExternalLogin/Facebook
https://myapp.azurewebsites.net/api/ExternalLogin/FacebookCallback
https://myapp.azurewebsites.net/api/signin-facebook
https://myapp.azurewebsites.net/api/ExternalLogin/Facebook/signin-facebook
Originally I only had the "/FacebookCallback" URI. I only added the others following suggestions from other questions here on Stack-overflow, but I am still getting the same error message.
Can anyone help me figure out what am I missing?
Please make sure:
Your App IDs and Secret Keys are correct. The App IDs and Secret Keys are all different for each app. These often cause the problem.
Your App domain set to:
myapp.azurewebsites.net
Your site URL set to:
http://myapp.azurewebsites.net/
You have set URI properly like:
http://myapp.azurewebsites.net/facebook/login/callback/
Update:
Make sure you have placed / at the end of your all URIs.
https://myapp.azurewebsites.net/api/ExternalLogin/Facebook/
https://myapp.azurewebsites.net/api/ExternalLogin/FacebookCallback/
https://myapp.azurewebsites.net/api/signin-facebook/
https://myapp.azurewebsites.net/api/ExternalLogin/Facebook/signin-facebook/
OR
localhost:44396/api/ExternalLogin/FacebookCallback/
I'm developing a website using ASP.NET identity that will work with subdomains that identify a client using some information from here I've got subdomains working locally, but I can't get it to work with OAuth.
For example, if I got to https://localhost:44301 and try to login with Google, everything is fine. In my Google console I have https://localhost:44301 under "Authorized JavaScript origins" and https://localhost:44301/signin-google under "Authorized redirect URIs". But when I go to https://foo.localhost:44301 Google will respond with:
Error: invalid_request
Invalid parameter value for redirect_uri: Non-public domains not allowed: https://foo.localhost:44301/signin-google
When you try to log in. I can add https://foo.localhost:44301 to "Authorized JavaScript origins" in the Google console, but it won't let me add https://foo.localhost:44301/signin-google under authorized redirect URIs because it will complain:
Invalid Redirect: https://foo.localhost:44301/signin-google must end with a public top-level domain (such as .com or .org)
Some other questions and answers suggest redirecting all subdomains to a single domain for OAuth, but ideally I want to keep logins per subdomain. So if you use google to sign it to foo.mydomain.com it will be separate from bar.mydomain.com and I don't think that'll work if I have to redirect both to the same single domain (although I'm not sure that's going to work without separate projects in Google.
Google and in general other OAuth2/OIDC providers will support redirecting to sub-domains. Your specific problem is that you seem to be trying to use sub-domains of localhost which is in the list of Special-Use Domain Names (RFC6761) and it seems Google has additional constraints for those ones.
However, this is not a real limitation because on production you'll use a public top-level domain from from where you'll have the specific sub-domains.
If you need to have this working for local development, you can use localtest.me which allows you to set a sub-domain you like (foo.localtest.me and bar.localtest.me) while still ensuring that the domain resolves to your local machine (127.0.0.1). This should stop Google from complaining about it...