I am trying to use google authentication API to have a google log-in on my web API project. Created the OAuth
and I enabled the Google+ API
added the Client ID and Client Secret on my Startup.Auth
app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()
{
ClientId = "497652290327-gd5h0lrheuqcrtccp2c4rqi8dt5vpfb8.apps.googleusercontent.com",
ClientSecret = "sPGGSo2d7VZX7YnRNGmCPQDv"
});
but when I try to log in the URI dispalys
http://localhost:54388/#error=access_denied
It consued me because I followed every steps from the tutorial of kudvenkat but still encountered this error. Did I do something wrong
Note that the credentials that I am using on this google log in does not exist on my database (if that matters)
Ensure that you have the lastest OWin / FacebookAuth Nuget packages and that your application has a valid connection string to a SQL database with migrations applied if using code-first.
Also check that the clientID & secret are correct, on the google apis console it should show some traffic on the client app
Related
Cant establish persistent API connection to GA4 from Make (formerly Integromat). I use an HTTP OAuth 2.0 connection
I've enabled the Google Analytics Data API v1
In GCS I've created a project, Enabled the above mentioned API with authorized domains integromat.com and make.com and also created an OAuth 2.0 app. The scopes I added was:
https://www.googleapis.com/auth/analytics.readonly
https://www.googleapis.com/auth/analytics
I created credentials for a web app with the Authorized redirect URI’s of
https://www.integromat.com/oauth/cb/oauth2
https://www.integromat.com/oauth/cb/google/
The connection works but only for a short period (I assume the token expires). To try and mitigate this I created a service account. That does not work as I cant find a way to add an authorised URI to a service account. This is the Make error:
Error 400: redirect_uri_mismatch
You can’t sign in to this app because it doesn’t comply with Google’s OAuth 2.0 policy.
If you’re the app developer, register the redirect URI in the Google Cloud Console.
Request details: redirect_uri=https://www.integromat.com/oauth/cb/oauth2
Any ideas please? I’m truly stuck
Your question lacks a bit of information as to what it is exactly you are trying to do. However there is enough here that I can help you clear up a few issues or miss understandings.
Oauth2
Oauth2 allows your application to prompt a user to request permission to access their data. The authorizaton server returns to you an access token, this access token is good for only an hour and then it will expire.
If you are using a server sided programming language then you can request offline access, at which point the authorizaiotn server will return to you an access token and a refresh token. The refresh token can then be used by you when needed to request a new access token.
service accounts.
Service accounts can be used if you are only accessing private data that you the developer own. You can create a service account, then go in the admin section of the google analytics website and add the service account as a user it will then have access to that account. There will be no need to request consent of a user to access the data it will just work. Note: service accounts only work with server sided programming languages.
redirect uri issue.
The redirect uri must exactly match the web page that your application is sending. In this case the error messages says you are missing https://www.integromat.com/oauth/cb/oauth2 you should add that.
Google OAuth2: How the fix redirect_uri_mismatch error. Part 2 server sided web applications.
in order to programmatically retrive some AppTraces and AppExceptions info from an Azure Application Insights Logs resource, we followed the instructions included in the following article advicing to adopt the new Azure Monitor Query client library for .NET to fulfill the purpose.
https://learn.microsoft.com/it-it/dotnet/api/overview/azure/Monitor.Query-readme?view=azure-dotnet
Strictly following the above article instructions (and using the DefaultAzureCredential object to authenticate), we managed to get the client library's LogsQueryClient object working fine in the local version of the developed web api (ASP .NET Core 6.0). And so, locally we are eable to fetch the logs info we need.
But once we published the web api on the Cloud (under the same Azure subscription of the Application Insights target resource) we started to get the following error:
Message: The provided credentials have insufficient access to perform the requested operation
Status: 403 (Forbidden)
ErrorCode: InsufficientAccessError
N.B.
Surprisingly we didn't find any thread explaining, step by step how to fix the problem with specific reference to the new Azure Monitor Query client library.
To fix the issue, we tried replacing the class DefaultAzureCredential with the class ClientSecretCredential generating and assigning it a new client secret.
Here are the details concerning the steps we followed to implement the ClientSecretCredentials.
In particular, we have:
Setup a new Azure AD Application.
Assigned it the required permissions ==> Data.Read (Read Log Analytics data - Granted from Admin).
Assinged to the Registered App (AAD Application) the Reader Role from the Application Insights Resource's Access control (IAM) section of the Azure Portal.
Created a new client secret for the AAD Application.
Created a new Azure Web API, on witch we Installed the Azure Monitor Query client library for .NET.
To retrive Logs data, we programmatically istantiated a new Azure.Identity.ClientSecretCredential object, assigning it the right tenantId, the client (application) ID of the AAD Application and the client secret previously generated for the App Registration.
In the Program.cs file of the web api we created a singleton instance of the class LogsQueryClient assigning it the above ClientSecretCredential object.
And finally we invoked the QueryWorkspaceAsync method of the class LogsQueryClient, passing it the WorkSpaceId of the Application Insights Resource (whom logs have to be read) and the query to retrive.
Unfortunately, replacing the class DefaultAzureCredential with ClientSecretCredential didn't work and the error message keeps to be the same.
N.B.
The AAD User Type of the user who: developed and released the web api, registered the new Azure AD Application and granted it the necessary permissions is "Member".
The above user, refers to the same tenant id as the resources he managed in the above steps (Web Api, AAD Application etc).
During the release process of the web api, a new API Management service was specifically created by the same user releasing the app.
Here are the code snippets:
Program.cs
builder.Services.AddAzureClients(builder =>
{
static LogsQueryClient func(LogsQueryClientOptions options)
{
options.Retry.Mode = Azure.Core.RetryMode.Exponential;
options.Retry.MaxRetries = 5;
var csc = new ClientSecretCredential(tenantId, clientId, clientSecret);
return new LogsQueryClient(csc, options);
}
builder.AddClient<LogsQueryClient, LogsQueryClientOptions>(func);
var credentials = new ClientSecretCredential(tenantId, clientId, clientSecret);
builder.UseCredential(credentials);
});
Controller.cs (get logsQueryClient through dependency injection)
Response<LogsQueryResult> response = await logsQueryClient.QueryWorkspaceAsync(workSpaceId, query);
The provided credentials have insufficient access to perform the requested operation
The error clearly shows that it doesn't have a sufficient access to process the request.
To identify the new RBAC permission, Azure App Insights REST API takes an hour to sync with AAD and it throws Status 403 as error code without complete sync. Refer MS-DOC for related stuff
Basically, this error can happen when the user doesn't have access to authorize Access token with AAD
Provide the required access to the user which you want to authorize.
Make sure to check your request are valid before processing your APi request in Production Environment. (Token, GUID, etc.,).
Thanks for your appreciated help.
We finally managed to spot where the problem was.
After the point 3 listed in our original post:
<<Assign to the Registered App (AAD Application) the "Reader Role" for the Application Insights acting from the resource's Access control (IAM) section of the Azure Portal.>>
... We omitted to do the same thing for the Log Analytics workspace.
Each Application Insight resource refers infact to a specific Workspace.
For that reason, it is necessary to assign the same reader role to the Registered App also for the above workspace.
Log Analytics workspaces too have infact an Access control (IAM) section in the Azure Portal, just like the other resources.
Assigning this role to the AAD registered app the issue was fixed.
I have a react-native app that handles authentication using Firebase. That works great
The app calls serverless functions in Azure which id like to add authentication to by selecting an identity provider.
Azure Function App Identity Provider Options
Ive tried using OpenID Connect with the following configuration values but had no luck
metadata url: https://securetoken.google.com/{my-project-id}/.well-known/openid-configuration
client id: 412-3gp*******************.apps.googleusercontent.com
client secret: taken from the link below
https://console.cloud.google.com/apis/credentials?authuser=1&project={my-project-id}&supportedpurview=project
Firebase OpenId configuration
Process:
Get idToken from the already-authenticated Firebase user in my app
Pass that (jwt)idToken as a Bearer authentication header when calling my Azure function
Result:
401 unauthorised response
No response body is present
Expected result:
200 response
Does anyone know if its possible to use Firebase as an OpenId identity provider and if so, where I should get the correct ClientId and Client secret values from?
I notice the are some value in the Firebase console and also some in the Google cloud console
I've been facing exactly the same issue this morning and managed to get it working.
I initially did the same as you and set the client ID to be xxxxxxxx.apps.googleusercontent.com. That client ID value came from the same page you have liked to above for the client secret. Those values still resulted in the 401 error.
When I changed the client ID to be the Firebase project ID it all started working as expected.
I am getting redirect_uri_mismatch error while getting refresh token using Google Calendar API V3. I have web application, which shows google calendar access consent window to user and if user allow access than i store refresh token received from request to my database. I also have windows service which runs once daily. This service fetch google calendar events for all users who have allowed calendar access into my application. It is working fine in my local environment but gives error on live site.
I have choose Application Type as Other while generating client id and secret. How can i resolved this error on live URL or where can i change redirect uri in Google API Console?
I have both web application and windows service using calendar api so i want same client id and secret needs to be used for both. Generating separate token for application type web application and other for windows service is not an option for me because i have tried that and it throws unauthorized client error while windows service try to fetch calendar events using refresh token generated throw web application client id & secret.
This error indicates that you are using the web redirect flow instead of the recommended flow with JS widget support. The web redirect flow does not take advantage of many features such as Cross-Device Sign-On, Over-the-Air Install, and so on.
This issue is related to the Authorized Redirect URI field settings for the Client ID.
To resolve:
Access your list of credentials in the Google API Console .
From the project drop-down, select your project .
On the Credentials page, look for the list of OAuth 2.0 client IDs, and select the web application client ID. This takes you to a details page.
In the Restrictions section, the Authorized Redirect URI field(s) should contain the appropriate protocol, host name, port, and path information that will receive the redirected flow.
Here's a related SO ticket: Google OAuth 2.0 redirect_uri_mismatch error
Hi
I am developing an application on android(3.0) and trying to use the Evernot API. I downloaded Evernote API with sample and trying to play with it.
I working with evernote sample application name "HelloEDAM" , when i run the application following error displays at screen
"Error initializing Evernote API".. i have the API consumer secret and consumer Key which is send by Evernote to me and also providing the right username and password. Any idea what could be the problem?
many thanks !!
That error is shown if we're unable to authenticate to Evernote. Common causes of this are:
Your application doesn't have internet permissions
Your consumer key and consumer secret are incorrect
You requested a web service API key, which must authenticate using OAuth, but are attempting to authenticate using username & password
You are using an Evernote username and password from our production service but are attempting to authenticate against our sandbox server
We also log a message that contains the exception that caused the error.